Farmers looking for quick money recently bought a controversial DeFi protocol called UniCats. – The crop planting scheme reminds us of other better known protocols such as SushiSwap or Yam.
According to ZenGo researcher Alex Manuskin, at least one user lost more than $ 140,000 in Uniswap tokens (UNI) even after their money was removed from the protocol. Manuskin told Cointelegraph that other users lost about $ 50,000 more.
Users have fallen prey to a dangerous practice pervasive in DeFi, where most protocols require permission to withdraw an unlimited amount of a specific token from a client’s wallet. As Cointelegraph previously reported, DApps like Compound, Uniswap, Kyber, and others often have endless suits. This allows smart contracts to process as much of a particular token as possible on behalf of each pocket holder.
Some wallets allow users to manually enter an approved amount, although usually the default is set to a maximum.
This was the case with UniCats, Manuskin explained: “It was not just a reliable cashier scam, he also wanted to take all approved tokens from users.”
UniCats contracts contain a hidden “setGovernance” functionality that allows the owner to call any function on behalf of the contract. When users endlessly approved this contract, the developer was able to completely empty the user’s UNI balance.
The tokens were quickly sold over ether (ETH), which was then sent to Tornado Cash for encryption, leading many to ask if this was intentional.
The event emphasizes the importance of transferring funds only to recognized and controlled projects. In the wake of the crop cultivation mania, many lesser-known crop production businesses have been spun off to take advantage of this trend. Unfortunately, they were often on hand and contained various types of tailgate. Many breeders were “dragged out”, and money – in such incidents.
The difference with UniCats is that builders are usually limited to protocol-bound tokens. The infinite contract resolution mechanism allows each token to be extracted from the user’s wallet forever. The wallet is completely compromised until the authentication is canceled, which means that any new token sent to the address could be stolen in the same way.
An authentication mechanism became necessary due to a limitation of the ERC-20 standard used in Ethereum tokens. DApps and smart contracts cannot determine if the user has transferred money to the contract. Thus, the contract transfers funds on behalf of the user, which requires prior approval. New standards such as ERC-777 fix this bug, although this type of code still has vulnerabilities and can be a victim of theft.
The reason for designing infinite permissions is that users save gas and time by not having to accept each transaction separately. However, as the June Bancor vulnerability has shown, any negotiated compromise puts users at risk of theft, even if they haven’t interacted with the protocol for some time.