- Uniswap’s liquidity pool suffered an attack amounting to a $25 million loss.
- Investigation showed that a validator could be involved.
Uniswap [UNI] has become the latest casualty of exploits in the cryptocurrency industry. The attack was on the protocol’s Liquidity Pool (LP) and ended in the perpetrators carting away $25.2 million. A smart contract developer, who pseudonymously goes by Punk3155 on Twitter, alerted the community about the issue.
— 3155.eth (@punk3155) April 3, 2023
Realistic or not, here’s UNI’s market cap in BTC’s terms
Validator gone rogue?
The developer who monitored every step of the activity noted that it was likely the handwork of crook validators who joined the protocol 18 days back. He pointed out,
“Looks like a well-planned attack. becoming a validator 18 days ago, prepared the tokens 16 days ago.”
Blockchain security platform PeckShield Alert also chimed in on the cause and perpetrators. Through the investigation, the firm was able to locate where the stolen funds were transferred, with PeckShield noting that eight addresses that emerged from the KuCoin exchange were involved, and the funds were stored in three of them.
#PeckShieldAlert The stolen funds (~25M) are mainly located in 3 addresses, 0x3c98…8eb (~20M), 0x5b04…5b6 (~2.3M) and 0x27bf…f69 (~3M)
0x84cB…8D1, 0x88Fd…7EE, 0x94e0…87C, 0x0429…46C, 0xEafc…D1B, 0xCaCE…975, 0x5b04…5b6 and 0x27bf…f69 these 8 addresses were… https://t.co/7g60VX8ica pic.twitter.com/7oFwYSVoyn
— PeckShieldAlert (@PeckShieldAlert) April 3, 2023
Further scrutiny of the event revealed that it was a sandwich attack. Sandwich attacks occur when atrocious traders look for a pending transaction within a network and manipulate the order of transactions in the block.
In this instance, the eight addresses were able to exploit the Uniswap exposure and capitalized on it. In addition, Uniswap could have been an easy target since it uses a price curve based on liquid demand and supply.
Loophole detected but blames on no none
PeckShield also explained without laying blame that there was a broken bot action from the Miner Extractable Value (MEV). The MEV is described as the value that miners can obtain from the order of transactions during block production. And this helped in granting access to hackers. The tweet by the blockchain firm read,
“Our analysis shows that the victim txs were replaced by the bot-exploiting transactions, which already included the reverse swap to take profits.”
This attack represented one of the few notable ones the crypto ecosystem has experienced in 2023. Unlike last year when such occurrences were rampant, there seems to have been some calm.
How much are 1,10,100 UNIs worth today?
Meanwhile, Lookonchain was able to provide more information about the incident. According to him, the asset carted ways included 5.3 million USD Coin [USDC], 1.7 million MakerDAO [DAI], some Tether [USDT], Wrapped Bitcoin [WBTC], and Wrapped Ether [WETH].
— Lookonchain (@lookonchain) April 3, 2023
An occurrence like this reflects the reality of the loopholes still present in the DeFi ecosystem. As such, there might be a need for better security infrastructure. However, Uniswap has not commented on the issue at the time of writing.