Summary of What Happened

Uniswap is a leading decentralized crypto exchange that runs on the Ethereum blockchain, which uses a decentralized network protocol. The protocol facilitates automated transactions between cryptocurrency tokens on the Ethereum blockchain using smart contracts. on Monday 11th July, the Binance CEO @cz_binance triggered an alarm when he tweeted about a potential exploit on Uniswap : (right image)

Blockchain explorers such as etherscan.io are commonly used as archives for transactions and give the users information about tokens before they decide to invest in them or not. Many hackers use these blockchain explorers to mislead the users and give false information, making them believe that the token/contract is legitimate. In this case, attackers created a simple ERC20 token and airdropped (sent it for free) it to users that hold UNI tokens. The goal of this airdrop was to lure the victims to the attacker’s scam website. The phishing campaign is successfully as that the transaction of the airdrop seems legitimate at etherscan.io \n as can be seen in the following screenshot:

As illustrated, it seems like Uniswap V3 indeed sent the tokens. When the victim pressing on the token, it connects them to the phishing website which was UniswapLP.com (the website is currently down):

On the website, the victim saw could swap the LP token he received via the airdrop for UNI tokens:

Followed by the transfer right:

By pressing on the “Click here to claim” button, the victim granted the attacker full access to his account. This allows the hacker to access all the Uniswap LP (Liquidity Pool) tokens held by the user.

Through this new phishing scam, the attacker stole 8 million dollars’ worth of ETH, as can be seen in the \n following screenshot below:

The phishing scam promised a free airdrop of 400 UNI tokens (worth approximately $2,200). Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract (0xcf39b7793512f03f2893c16459fd72e65d2ed00c).

The phishing actors created an ERC20 token and airdropped it to 73,399 users who held UNI tokens, spending 8.5 ETH in TX fees for the high volume of the transactions.

End of the Story

Sources:

Methodology

So, based on the above data, we know that the malicious smart contract address is 0xcf39b7793512f03f2893c16459fd72e65d2ed00c and the attack date is Monday 11th July 2022.

Moreover, the hacker deposited all of the stolen assets (worth more than 4200 ETH) to Tornado Cash (being laundered). the Tornado cash contract address is 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b and the hacker wallet address that interacted with tornado cash is

0x09b5027ef3a3b7332ee90321e558bad9c4447afa.

Based on the left data, we can see the exact number of unique compromised wallets which is 73399.

I extracted this number by filtering those wallets who have interacted with the malicous smart_contract (0xcf39b7793512f03f2893c16459fd72e65d2ed00c)

On the left chart, I have calculated the aggregate token balance of the compromised wallets before (10th July) and after (12th July) the scam. Moreover, I have filtered results to only show tokens which are listed on Uniswap Pools because the fake phishing transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user.

So, we can see the results on the left chart. (in $USD)

And on the left data, I have calculated the total stolen ETH, by analysing the value of deposited assets to the Tornado Cash (0xd90e2f925da726b50c4ed8d0fb90ad053324f31b) by hacker phishing wallet (0x09b5027ef3a3b7332ee90321e558bad9c4447afa).

On the below image, we can see the balance of Phishing wallet:

For calculating the LP tokens that constituted the largest share of stolen funds, I have exctracted the left data and chart as below stragtegy:

I have calculated the balance difference of each token before attack and also after attack for the victim wallets.

the left chart is the result. I think Saitama data is kinda wrong. alao, the result may not be so accurate too but here is my method for this and I didint find any source or another method to calculate the correct result because the token are not transfered

Conclusion:

• The Uniswap phishing attack occurred on 11th June 2022 with a fake airdrop link provided by a hacker.
• 73399 wallets were the total number of this attack victims.
• WETH was the most stolen token during this attack.

Discord: Ali3N#8546

As anothter (and probebly the more accurate one), I have calculated the stolen tokens and their number as the left table (ordering by number of stolen tokens).

As we see, The WETH token is the most stolen one here.

And here are the top 10 stolen token.