Key Takeaways:
- Binance CEO Changpeng Zhao faced criticism on Twitter after indicating that rival crypto exchange Uniswap was hacked
- He later clarified, that it was a phishing attack and not an exploit
- Up to $9.1 million was potentially lost in the incident
YEREVAN (CoinChapter.com) — Binance CEO Changpeng Zhao, commonly known as “CZ,” sounded a false alarm on Twitter. He accused rival cryptocurrency exchange Uniswap of a security lapse.
“Our threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain. The hacker has stolen 4295 ETH so far, and they are being laundered through Tornado Cash. Can someone notify Uniswap?…,”
he tweeted.
Although the Binance founder was too quick to jump to conclusions, his concern was not ill-founded. What looked like a Uniswap V3 protocol exploit to him eventually turned out to be a phishing attack.
Recommended: Uniswap (UNI) valuation could swell by nearly 110% — here’s why
Here’s what happened
Attackers sent a phishing link to at least 74,800 addresses under the guise of airdropping new UniswapLP tokens. Users could then swap these tokens for UNI tokens, the native currency of the crypto exchange.
The attackers had also kept the value of the supposed UniswapLP tokens at par with UNI. This would have been enough to excite those receiving the malicious ‘airdrop.’ At the time of the attack, UNI’s price hovered just above $6.
However, the given link directed the victims to a new website. But, instead of allowing them to exchange their coins, the attackers could successfully access users’ information and drain their crypto holdings from affected wallets.
The attackers even tampered with the blockchain transaction explorer. They updated the “from” file to make it seem like a legitimate “Uniswap V3: Positions NFT” had sent the airdrop.
To prevent people from doing a detailed analysis, the attackers urged users to hurry up as only 10,000 tokens could be claimed by over 70,000 users.
Not wanting to miss out, gullible users failed to exercise caution.
The Binance CEO estimated the attacks’ losses to be $4.7 million in Ethereum tokens (ETH).
However, a Reddit post by Suren Rongayo put that figure way higher. He also claimed attackers had taken off with nonfungible tokens (NFT) from the Uniswap Liquidity Pools.
“So far, they have scammed (~$9.1million) from users, from native tokens (ETH), ERC20 tokens, and NFTs (namely, Uniswap LP positions),”
the post claimed.
Recommended: Uniswap surpasses $1T in lifetime volume as DEX beat CEX in on-chain flows
Binance CEO faces backlash, issues clarification
Following his Twitter post, Binance CEO Changpeng Zhao faced backlash from the community. Users seemed rattled that the entrepreneur had failed to do his homework before making false claims.
“This seems like an incredibly irresponsible thing to tweet, it was a phishing campaign, not an exploit of Uniswap v3 code,”
one user wrote to CZ.
Others suspected foul play, accusing Zhao of orchestrating the attack to discredit his competitor. They even claimed Zhao created a FUD, wondering why he was the first to notice the attack.
“It was all well planned by him… the goal is to generate distrust in Uniswap users because soon he will turn as a campaign that Binance is very safe and we all should immigrate there. Very malicious this man,”
one user wrote.
To be fair to CZ, he did use the term “potential exploit” in his tweet.
For a few hours that the post was up, it attracted several condemnation posts. However, Zhao returned with a new post soon after, giving an update on the incident.
He shared a screenshot of his supposed conversation with the Uniswap team. Unidentified Uniswap executives clarified to the Binance CEO that it was a phishing attack rather than a lapse in the security of the smart contract.
Hayden Adams, the CEO of Uniswap, also issued a clarification.
After the incident came to light, the price of UNI tanked. From its daily high of $6.23, the token tanked to $5.31 before making a slight recovery. At the time of writing, UNI traded for $5.56 per token, around a 7% drop in the past 24 hours.
