In brief

  • Ethereum-based "yield farming platform" UniCats allegedly stole at least $200,000 worth of crypto from several users, a ZenGo researcher revealed.
  • A backdoor in the smart contract allowed UniCats to retain control over its users' tokens even after they were withdrawn from its pool.
  • A similar exploit was recently used against Bancor.

An Ethereum user has lost $140,000 worth of UNI, the governance token of decentralized finance (DeFi) platform Uniswap, to yield farming project UniCats, according to Alex Manuskin, researcher at crypto wallet ZenGo.

Over the past weekend, the anonymous user, named “Jhon Doe” for privacy reasons (and deliberately misspelled for unknown reasons), stumbled upon a new yield farming scheme called UniCats and decided to transfer some UNI tokens to its liquidity pool. 

Manuskin speculated that the user might have been thinking “who knows, it might be the next YFI.” This is a reference to the unaudited, experimental Yearn.finance project, which went from zero to $40,000 in two months.

In the process, the platform asked permission to spend an unlimited number of tokens—which Doe agreed to since it’s a relatively common practice in DeFi. After farming some MEOW tokens, the user pulled his UNI out of the pool.

Little did he know that UniCats’ developer created a backdoor in the smart contract that gave him control over tokens even after they were withdrawn from the platform.

“What Jhon doesn’t know, is that once you approved the contract to use [infinite] tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme,” said Manuskin.

Thanks to this backdoor, UniCats’ creator was able to use the "setGovernance" call to snatch Doe’s tokens. In two swift transactions, the user lost 26,000 and 10,000 UNI—worth around $94,000 and $38,000, respectively. The tokens were then swapped for just over 416 Wrapped Ether (roughly $147,000) on Uniswap. And Doe wasn’t the only victim.

“The $140,000 are just from one victim. The culprit made at least $50,000 more from other victims. Might be even more, it is a bit difficult to quantify as it is in separate transactions,” Manuskin told Decrypt.  

He added that this is the first time he has seen this type of attack deliberately used in farming pools, although a similar hack was used against Bancor a short while ago. However, Bancor suffered an exploit, not an intentional backdoor created by the developers, Manuskin explained.

He also noted that the developer of UniCats creates additional smart contracts for each new victim to cover his tracks. The developer then moves the stolen funds into crypto mixer Tornado Cash—a way to make it harder for blockchain analytics companies to follow the money.

Manuskin urged users to only approve tokens that they want to spend—since the approved amount goes to zero after the contract uses it —or revoke access to their funds afterward.

“Much of the problem is caused by the fact that users are complicit to approve infinite amounts, as this is the standard in popular dapps as well,” he explained to Decrypt, adding that “On the dapp side, they should consider only promoting to allow the necessary amount, even if this causes the user inconvenience. On the wallet side, wallets should alert a user that they are giving permission to all their current and future tokens.”

Because no one wants to approve a transaction that could rid them of all their money.