Key takeaways :
- Unibot, a popular Telegram bot used for Uniswap trading, experienced an approval vulnerability.
- The vulnerability in a newly deployed contract led to the loss of meme coins valued at over $600,000.
In the ever-growing list of crypto hacks, Unibot, a popular trading tool on Telegram, has become the latest victim. On October 31, alarm bells rang as the Unibot project disclosed a “token approval exploit” that had affected the platform.
Fortunately, the project assured users that their keys and wallets were safe and that all funds impacted by the bot’s “new router” would be compensated.
The exploit targeted a new contract deployed by Unibot on October 29, which is widely used on Telegram to execute trades on the decentralized exchange Uniswap. This attack resulted in the theft of approximately $560,000 in various memecoins from Unibot users.
The incident came to light when the blockchain analytics firm Scopescan alerted Unibot users about the ongoing hack, which had gone undetected for some time. The attacker utilized the exploit in the new contract to drain the crypto holdings of several users. According to etherscan data, the exploiter had been moving users’ crypto and trading them for ETH.
Unibot attacker even received 1 ETH as a gas fee from the FixedFloat coin mixer just one week after the crypto trading bot’s launch, as revealed by Scopescan.
Onchain analytics from Lookonchain reported that the exploiter had stolen over $600,000. Early on October 31, security analysts at PeckShield raised the alarm, estimating that roughly $580,000 worth of crypto had been affected. Unibot soon confirmed the exploit in a separate post.
The company acknowledged, “We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Cryptocurrencies stolen via the exploit on the Unibot Telegram chatbot were then laundered through Tornado Cash and are currently on the move.
According to PeckShield, the attacker initially transferred the stolen crypto to Uniswap and subsequently sent it to Tornado Cash. SlowMist, another security firm, pointed out that the attack occurred due to missing essential parameter verifications, enabling the attacker to move tokens that users had authorized for the Unibot contract.
Tornado Cash has been involved in several high-profile hacks and exploits within the crypto world. Back in august there were talks of the decentralized privacy protocol wanting to regain its governance control after a token vote that garnered strong community support. With overwhelming backing for the proposal, this marks a significant milestone in restoring the protocol’s governance functionality.
This incident serves as a reminder of the persistent threats in the crypto space and highlights the importance of robust security measures to protect digital assets.