Tuesday, October 20, 2020

Many yield farmers lost more than they bargained for when they trusted this DeFi dev

Must Read

Blockchain firm Monerium thinks Europe ‘already has’ a digital euro

Consensys-backed e-money issuer Monerium thinks the route to a digital euro is simpler than the European Central Bank suggests.The fintech, which focuses on bridging...

Unqualified investors can buy up to $8K of crypto, says Bank of Russia

The central bank of Russia proposed to set limits on annual cryptocurrency investments by non-professional investors.The Bank of Russia suggested that unqualified investors in...

Yield farmers looking for a quick profit were recently taken in by a dubious DeFi protocol called UniCats — a yield farming scheme reminiscent of other, more famous protocols like SushiSwap or Yam Finance.

According to ZenGo researcher Alex Manuskin, at least one of its users lost more than $140,000 worth of Uniswap’s UNI tokens even after they removed their funds from the protocol. Other users lost about $50,000 more, Manuskin told Cointelegraph.

The users fell victim to a dangerous practice commonly seen in DeFi, where most protocols will request the authorization to withdraw unlimited amounts of a particular token from the customer’s wallet. As Cointelegraph previously reported, decentralized apps like Compound, Uniswap, Kyber and others often feature infinite allowances. This allows smart contracts to transact as much of a certain token as they want on behalf of each wallet owner.

Some wallets will let users manually fine-tune an approved amount, though this is generally set to the maximum possible value by default.

Such was the case with UniCats, Manuskin explained: “Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.”

The UniCats contract contained a sneaky “setGovernance” function that lets its owner call any function in the name of the contract. Since users granted infinite approvals to this contract, the developer was able to drain the entirety of its users’ UNI balances.

Tokens were immediately sold for Ether (ETH), which was then sent to Tornado Cash to be mixed, leading many to question whether these actions were premeditated.

The incident highlights the importance of delegating funds only to vetted and reputable projects. In the wake of the yield farming mania, many lesser-known yield farms were spun up to capitalize on the trend. Unfortunately, they were often outright cash grabs and featured different types of backdoors. Many yield farmers were “rug pulled” and their funds drained in similar incidents.

The difference with UniCats is that the “builders” usually limited themselves to the tokens committed to the protocol. The infinite allowance mechanism allows the contract to withdraw every single token in the user’s wallet, forever. The wallet becomes completely compromised until the approval is lifted, which means that any new token sent to the address can be stolen in the same manner.

The approval mechanism is made necessary by a limitation of the ERC-20 standard used for Ethereum tokens. DApps and smart contracts cannot detect if a user has transferred funds to the contract. Hence, the contract transfers the money on behalf of the user, which requires a pre-set approval. Newer standards like ERC-777 fix this flaw, though this type of token still has vulnerabilities and can still become the victim of theft.

The rationale for setting infinite approvals is that users save on gas fees and time by not having to approve each transaction separately. However, as the Bancor vulnerability showed in June, any compromise of a contract down the line exposes its users to theft, even if they haven’t interacted with the protocol in a while.

Popular This Week

Validator Vote Transitions NEAR Protocol to Proof-of-Stake Mainnet

Decentralized application blockchain NEAR Protocol is live following a 6-month release road-map begun in May, according to the developer team.The Andreessen Horowitz-backed blockchain project...

Bitcoiners Have Trillions and Trillions of Reasons to Ignore US Election

The outcome of next month’s U.S. presidential election may not matter much for bitcoin’s price: Economic stimulus in the trillions of dollars is likely no matter who...

【Arabic community】Summary Of Last Week In TRON & BitTorrent 10.05–10.11

يمكنك العثور على صفحات ترون الرسمية وتتبعنا بالطرق التالية 👇👇 ✅ تويتر:Twitter.com/TRON_AR ✅ فيسبوك : Facebook.com/groups/280763639206391 ✅ مجموعة التيليجرام العربية (ترون):T.me/tronnetworkAR ✅ مجموعة التيليجرام العربية (بتورينت):T.me/BTTBitTorrentAR ✅ الموقع...

Move over S2F — Model creator says ‘90% chance’ BTC never dips below $11K again

The author behind a valuation model for Bitcoin that's based on Metcalfe’s Law says the crypto asset will likely be priced around $12,000 by...

The $1.76 Trillion Blockchain MOONSHOT! New ETH ATH, Crypto.com, VIDT + IBM, JP Morgan

Max Keiser on Bitcoin | Mexican Crypto Art | Crypto.com 5 million users | Defining DeFi | Ethereum ETH new All Time High Hashrate...

CipherTrace gives officials tips on how to uncover criminals’ crypto caches

Blockchain forensics firm CipherTrace has published comprehensive guidance to assist law enforcement officials in identifying signs of cryptocurrency use when carrying out criminal investigations.The...

Retail investors will ‘undoubtedly’ move to Bitcoin, says Fidelity

Fidelity Digital Assets, the cryptocurrency custody and execution arm of United States financial services giant Fidelity, has claimed in a new report that retail...

UBRI Connect Virtual – Day 2, Part 3

UBRI Connect Virtual is a multi-day conference around global time-zones that will showcase blockchain initiatives and accelerate academia’s collaborative involvement in the ecosystem. The...