On October 31, 2023, Unibot, a trading bot service, faced a severe security breach, resulting in a loss of at least $640k from users who had approved the contract. The exploit targeted the trading bot's newly deployed router contract, stealing funds from users who had previously approved it.
Behind the Breach
The new router contract, deployed just a day before the exploit and remaining unverified on Etherscan, contained a critical vulnerability. It allowed attackers to insert a transferFrom() call, enabling them to drain approved tokens directly from Unibot user wallets. Users who had approved the new router to spend tokens were potential victims.
Attackers address: 0x413e4fb75c300b92fec12d7c44e4c0b4faab4d04
Despite the Unibot team's action to halt the router and mitigate the issue, opportunistic attackers seized the moment. They deployed cloned exploit contracts and continued to drain funds, exploiting users with existing approvals to the new router contract.
The Wider Picture
While the original exploiter sent 355 ETH (equivalent to $640k) of profits to Tornado Cash, other malicious actors continued to deploy contracts to replicate the exploit. This incident is eerily similar to an attack on Maestro, another trading bot, which lost around $500k just a week prior. Unlike Maestro, which responded quickly and even refunded users more than their losses, Unibot's response seemed to diminish the risk, potentially leading to further losses.
Lessons from the Incident
In conclusion, the recent Unibot exploit serves as a critical reminder of the inherent risks in decentralized finance, particularly when it comes to trusting closed-source contracts. Engaging with unaudited and not battle-tested contracts poses a significant risk, as this incident demonstrates.
Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.
You build the future. We help you secure it.