Hackers exploit Uniswap security flaw for $25.2 million

Key Takeaways:

• A sandwich attack on Uniswap, a famous decentralised exchange, recently resulted in a massive theft of $25.2 million from eight different pools.

• Attackers exploited a flaw in the Uniswap smart contract, enabling them to complete a number of Deals and ultimately withdraw money from the vulnerable pools.

Decentralized exchange Uniswap experienced a serious “Sandwich attack” security breach. The hack resulted in the theft of assets valued $25.2 million from eight different Uniswap pools.

A sandwich attack is fundamentally a type of front-running that focuses on decentralised financial protocols and services. The fraudulent users search for a pending transaction on the network of their choosing in these attacks. 

From eight different Uniswap pools that were targeted, up to $13.4 million in WETH, $3 million in USDC, $1.8 million in USDT, and 1.7 million in DAI were taken. The stolen money was sent to eight separate addresses and came from the cryptocurrency exchange KuCoin.

8 addresses stole $25.2M assets from 8 #Uniswap pools by #Sandwich attacking.

Including:
– 7,461 $WETH ($13.4M)
– 5.3M $USDC
– 3M $USDT
– 65 $WBTC ($1.8M)
– 1.7M $DAI

And these 8 addresses are funded by @kucoincom. pic.twitter.com/T769G8TgbI

— Lookonchain (@lookonchain) April 3, 2023

The fact that the stolen funds were traced to eight different cryptocurrency wallet addresses suggests that the assault was likely organised by a group of people.

This event might be a pivotal moment for the Miner Extractable Value (MEV) ecosystem as a whole.  The occurrence highlights the risks associated with using decentralised exchanges and the requirement to use prudence when dealing with such systems.

Attackers exploited a vulnerability in the Uniswap smart contract to carry out a series of Deals that ultimately enabled them to withdraw money from the vulnerable pools.

Based on Etherscan transaction history, several MEV bots have been deployed for sandwich trade.  Get other traders to buy or sell assets. Do goal of transformation price in the required direction. The validator was then applied to substitute the reverse coefficients.

#PeckShieldAlert The stolen funds (~25M) are mainly located in 3 addresses, 0x3c98…8eb (~20M), 0x5b04…5b6 (~2.3M) and 0x27bf…f69 (~3M)
0x84cB…8D1, 0x88Fd…7EE, 0x94e0…87C, 0x0429…46C, 0xEafc…D1B, 0xCaCE…975, 0x5b04…5b6 and 0x27bf…f69 these 8 addresses were… https://t.co/7g60VX8ica pic.twitter.com/7oFwYSVoyn

— PeckShieldAlert (@PeckShieldAlert) April 3, 2023

The funding for the validator behind the Uniswap attack came from the anonymous protocol Aztec, indicating that the operation was well thought out. 18 days prior to the assault, the validator made the trades’ confidential deposits.

It’s possible that the attackers used flash loans to artificially increase or decrease the value of the stolen assets, even though the details of the attack haven’t been made public yet. 

This is not the first time that Uniswap has come under the scanner of negative scrutiny.  Back in November of 2022, it was reported that 97% of the crypto projects launched on Uniswap were rug pulls. 

The research looked at 27,588 tokens that were listed on the platform; 631 of them were deemed to be benign, but an astonishing 26,957 were found to be malicious.