An investor lost $ 140,000 in UNI tokens.
As a reminder, UNI is a digital currency belonging to the “Uniswap” decentralized trading platform.
This investor's loss comes after he deposited his money in a new decentralized financing project called "UniCats", according to Alex Manuskin, a researcher at the "ZenGo" digital currency portfolio.
The rationale for this big loss goes back to last weekend, when the user named "John Doi" found a new project in the field of "Yield Farming" called "UniCats" and decided to transfer some UNI coins to the liquidity pool of this new project.
According to the researcher, Manuskin, this user might have been thinking that he had found the next big project in the decentralized financing arena, which he speculated could do as did the Yearn.finance project, which went from zero to $ 40,000 in two months.
User John Doi traded his UNI coins against “MEOW” digital currencies, which belong to the “UniCats” project.
Then the project developer UniCats would withdraw all the UNI coins deposited in his project, where he had previously created a back door in the smart contract for the UniCats project, which gave him the ability and control to withdraw the funds deposited in the liquidity pool.
Meaning, thanks to this back door, the founder of the UniCats project was able to use the "setGovernance" call to withdraw the investor "Joy Doi" coins.
With two quick transactions, this investor lost 26,000 and 10,000 UNI coins - valued at $ 94,000 and $ 38,000 respectively.
The stolen UNI coins were then exchanged for just over 416 Ethereum (about $ 147,000) on Uniswap.
According to the researcher, "Manuskin", the digital currencies obtained by the developer of the UniCats project not only belong to this investor, but were preceded by many users who fell into the same error.
Manuskin estimated that this developer had obtained more than $ 50,000 from other owners before Joy.
He added that this is the first time that he has seen this type of attack intentionally using malicious code, although a similar hack was used against the "Bancor" project not long ago.
"Manuskin" explained that "Bancor" suffered from exploitation, not an intentional backdoor created by the developers, and also indicated that the UniCats developer creates additional smart contracts for each new victim to cover his tracks.
The developer then transfers the stolen funds to the "Tornado Cash" cryptocurrency mixing tool, a method that makes it difficult for blockchain analytics companies to track the funds.
Manuskin explained :
"Smart contracts are not reversible after approval, so investors must know what they are depositing their money and agree to exchange it.
Much of the problem is due to the fact that users are complicit in agreeing to unlimited amounts, as this is the norm in popular decentralized apps."
And what Manuskin referred to can be likened to traditional applications that save subscription rights on a monthly basis after the user's first approval.
So careful reading, deep research, questioning, and counseling are the only ways to survive projects like UniCats.