Recently, Yield farmers (farmers who earn money by providing liquidity for DeFi) who seek quick profits were deceived by the dubious DeFi protocol called UniCats, which reminds people of other more famous protocols such as SushiSwap Or Yam Finance.
According to ZenGo researcher Alex Manuskin, even after withdrawing funds from the Uniswap agreement, at least one user lost Uniswap’s UNI tokens worth more than $140,000. Manuskin told Cointelegraph that other users lost about $50,000.
Users become victims of common dangerous behaviors in DeFi. In DeFi, most protocols require authorization to withdraw an unlimited amount of specific tokens from the customer’s wallet. As previously reported by Cointelegraph, decentralized applications like Compound, Uniswap, Kyber, etc. usually have generous subsidies. This allows smart contracts to perform any number of specific token transactions on behalf of each wallet owner.
Some wallets allow users to manually adjust the approved amount, although by default this is usually set to the maximum amount possible.
Manuskin explained that this is the case with UniCats: “This is not only a deception, but also a scam. It also wants to obtain all the tokens of the user.”
The UniCats contract contains a “setGovernance” function that allows its owner to call any function in the name of the contract. Since the user approves the contract without restrictions, the developer can withdraw all the user’s UNI tokens.
The withdrawn tokens were immediately converted into Ethereum (ETH) for sale, and then sent to Tornado Cash for mixing, which made many people doubt whether these actions were premeditated.
This incident highlights the importance of entrusting funds only to vetted and reputable projects. After the craze of yield farming (liquid mining), many little-known projects have emerged to take advantage of this trend. Unfortunately, they usually grab cash directly and have different types of backdoors. In similar incidents, many farmers were “deceived” and they lost all their funds.
The difference from UniCats is that “builders” usually limit themselves to tokens entrusted to the protocol. The generous subsidy mechanism allows the contract to permanently withdraw each token in the user’s wallet. Until the approval is cancelled, the wallet will be completely stolen, which means that any new tokens sent to that address can be stolen in the same way.
The approval mechanism is necessary for tokens restricted to the Ethereum ERC-20 standard. DApps and smart contracts cannot detect whether users have transferred funds to the contract. Therefore, the contract transfers funds on behalf of the user, which requires pre-approval. Although this type of token still has loopholes and may still be a victim of theft, newer standards such as ERC-777 solve this flaw.
The reason for setting unlimited approvals is that users do not need to approve each transaction separately, thus saving gas and time. However, as the Bancor vulnerability showed in June, any compromise in the contract will expose users to theft, even if they have not interacted with the protocol for a while.
