Yield farmers looking for a quick profit were recently taken in by a dubious DeFi protocol called UniCats — a yield farming scheme reminiscent of other, more famous protocols like SushiSwap or Yam Finance.
According to ZenGo researcher Alex Manuskin, at least one of its users lost more than $140,000 worth of Uniswap's UNI tokens even after they removed their funds from the protocol. Other users lost about $50,000 more, Manuskin told Cointelegraph.
The users fell victim to a dangerous practice commonly seen in DeFi, where most protocols will request the authorization to withdraw unlimited amounts of a particular token from the customer's wallet. As Cointelegraph previously reported, decentralized apps like Compound, Uniswap, Kyber and others often feature infinite allowances. This allows smart contracts to transact as much of a certain token as they want on behalf of each wallet owner.
Some wallets will let users manually fine-tune an approved amount, though this is generally set to the maximum possible value by default.
Such was the case with UniCats, Manuskin explained: “Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.”
The UniCats contract contained a sneaky “setGovernance” function that lets its owner call any function in the name of the contract. Since users granted infinite approvals to this contract, the developer was able to drain the entirety of its users’ UNI balances.
Tokens were immediately sold for Ether (ETH), which was then sent to Tornado Cash to be mixed, leading many to question whether these actions were premeditated.
The incident highlights the importance of delegating funds only to vetted and reputable projects. In the wake of the yield farming mania, many lesser-known yield farms were spun up to capitalize on the trend. Unfortunately, they were often outright cash grabs and featured different types of backdoors. Many yield farm...