Many yield farmers lost more than they bargained for when they trusted this DeFi dev

Published at: Oct. 5, 2020

Yield farmers looking for a quick profit were recently taken in by a dubious DeFi protocol called UniCats — a yield farming scheme reminiscent of other, more famous protocols like SushiSwap or Yam Finance.

According to ZenGo researcher Alex Manuskin, at least one of its users lost more than $140,000 worth of Uniswap's UNI tokens even after they removed their funds from the protocol. Other users lost about $50,000 more, Manuskin told Cointelegraph.

The users fell victim to a dangerous practice commonly seen in DeFi, where most protocols will request the authorization to withdraw unlimited amounts of a particular token from the customer's wallet. As Cointelegraph previously reported, decentralized apps like Compound, Uniswap, Kyber and others often feature infinite allowances. This allows smart contracts to transact as much of a certain token as they want on behalf of each wallet owner.

Some wallets will let users manually fine-tune an approved amount, though this is generally set to the maximum possible value by default.

Such was the case with UniCats, Manuskin explained: “Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.”

The UniCats contract contained a sneaky “setGovernance” function that lets its owner call any function in the name of the contract. Since users granted infinite approvals to this contract, the developer was able to drain the entirety of its users’ UNI balances.

Tokens were immediately sold for Ether (ETH), which was then sent to Tornado Cash to be mixed, leading many to question whether these actions were premeditated.

The incident highlights the importance of delegating funds only to vetted and reputable projects. In the wake of the yield farming mania, many lesser-known yield farms were spun up to capitalize on the trend. Unfortunately, they were often outright cash grabs and featured different types of backdoors. Many yield farmers were “rug pulled” and their funds drained in similar incidents.

The difference with UniCats is that the “builders” usually limited themselves to the tokens committed to the protocol. The infinite allowance mechanism allows the contract to withdraw every single token in the user’s wallet, forever. The wallet becomes completely compromised until the approval is lifted, which means that any new token sent to the address can be stolen in the same manner.

The approval mechanism is made necessary by a limitation of the ERC-20 standard used for Ethereum tokens. DApps and smart contracts cannot detect if a user has transferred funds to the contract. Hence, the contract transfers the money on behalf of the user, which requires a pre-set approval. Newer standards like ERC-777 fix this flaw, though this type of token still has vulnerabilities and can still become the victim of theft.

The rationale for setting infinite approvals is that users save on gas fees and time by not having to approve each transaction separately. However, as the Bancor vulnerability showed in June, any compromise of a contract down the line exposes its users to theft, even if they haven’t interacted with the protocol in a while.

Tags
Technology
Ethereum
Defi
Scams
Erc-20
Related Posts
You Can Now Trade Litecoin on the Ethereum Blockchain With Kyber
The Kyber Network, a decentralized, on-chain cryptocurrency exchange, has just listed the Ethereum-compatible pLTC token — a new cross-chain token developed by pTokens project. Announcing the news to Cointelegraph on Aug. 3, Kyber Network said that pLTC tokens will be accessible through KyberSwap and other decentralized apps, or DApps. They will also be available on platforms powered by Kyber’s on-chain liquidity protocol. pLTC is pegged to Litecoin The news comes shortly after pTokens launched pLTC token on the Ethereum mainnet on July 29. Similar to other “pTokens”, pLTC token aims to unlock cross-chain decentralized finance, or DeFi, liquidity by connecting …
Decentralization / Aug. 3, 2020
Gravity Bridge brings Ethereum to the multichain
On Wednesday, the Interchain Foundation, a Swiss non-profit serving as a steward of the Cosmos (ATOM) ecosystem, announced the launch of Gravity Bridge as built by decentralized internet service provider Althea. Gravity Bridge enables the transfer of ERC-20 tokens between Ethereum (ETH) and Cosmos blockchains. During its initial stages, Gravity Bridge will operate as a standalone chain before migrating to Cosmos Hub early next year. Key technical features include interchangeable token issuance across both chains and the support of Ethereum to Cosmos oracles. Simpier issued the following statement regarding the launch: In this interoperable ecosystem, Gravity Bridge’s place is a …
Adoption / Dec. 15, 2021
Uniswap builds interface to swap altcoins into ETH donations for the Ukrainian people
On Tuesday, decentralized exchange, or DEX, Uniswap launched an interface that directly converts ERC-20 tokens, such as Aave, Chainlink (LINK), and Decentraland, to Ether (ETH). These coins are then sent to the official crypto wallet addresses of the Ukrainian government, all in a single transaction. In explaining the rollout, Uniswap claimed that the address shared by the Ukrainian government is located on a centralized exchange and only accepts ETH and Tether (USDT). Thus, the feature simplifies the donation process for anyone holding ERC-20 tokens on Uniswap's list and who wishes to donate by connecting their wallet to the DEX. 2/ …
Decentralization / March 1, 2022
Filecoin storage tops 1 billion GB as tokenized FIL launches for use in DeFi
Cryptocurrency infrastructure providers Anchorage and Tokensoft are teaming up to wrap FIL, the native token of decentralized file storage network FIlecoin, for use on Ethereum. The firms announced wFIL on Monday, promoting its use in decentralized finance applications including Compound, Maker and Uniswap. Filecoin ecosystem lead Colin Evra stated: “Wrapped Filecoin will enable some really creative DeFi products that create huge opportunities for Filecoin miners and storage users.” The news came the same day that Filecoin announced the storage capacity dedicated by its global mining community has exceeded one exbibyte — equal to more than one billion gigabytes. According to …
Technology / Nov. 25, 2020
From DeFi year to decade: Is mass adoption here? Experts Answer, Part 2
Yat Siu of Animoca Brands Yat is the executive chairman and co-founder of Animoca Brands, which delivers digital property rights to the world’s gamers and internet users, thereby creating a new asset class, play-to-earn economies and a more equitable digital framework contributing to the building of the open Metaverse. “2021 was the year of NFTs, and in the second half of the year, we saw a growing emphasis on GameFi. This trend will continue well into 2022. Real mass adoption of DeFi will happen via GameFi, which will explode in growth during 2022 as the potential for mass financial inclusion …
Decentralization / Dec. 22, 2021