Manuskin believed that UniCats added a “backdoor” to the yield farming smart contract which allowed the platform to have complete control over its users’ tokens even after users withdrew it from the farming pool.
Manuskin illustrated how an anonymous user, named “Jhon Doe” for privacy reasons, apparently lost $140,000 worth of UNI as a result of this scam. The researcher believed that Doe would have fallen for the scam under the assumption that farming with UniCats would lead to “the next YFI” like success.
Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFIhttps://t.co/8bHxzcTC49 pic.twitter.com/gnzHjNQyrQ— Alex Manuskin (@amanusk_) October 5, 2020
It is typical of yield farming Dapps to ask for users’ permission to spend an infinite number of tokens, and the user in question consented to a similar request seen in the image below:
After this, the researcher used an etherscan tracking report to indicate that the user would have farmed “some $MEOW,” and then decided to pull out all of the UNI tokens from the pool. Manuskin explained the process in a tweet:
What Jhon doesn’t know, is that once you approve the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
In fact, to cover their tracks, UniCats developers created new smart contracts “for each new victim” and that the developers moved bulks of stolen 100ETH into Tornado Cash, an experimental software and a privacy mixer for Ethereum which make the process of tracking the destination of funds extremely difficult.
In his research, Manuskin mentioned that this scam would be a first, especially to take advantage of their own farming pools protocols. Recently, Bancor, a decentralized liquidity provider, was under attack by hackers who found a similar backdoor vulnerability on its smart contract protocol, which led to a loss of user funds.