On October 31, one of Unibot's smart contracts was exploited. As a result, the hacker withdrew more than $600,000 of tokens. Later, they swapped those coins to ETH and transferred them to Tornado Cash. Unibot token’s price dumped by more than 40%.
What is Unibot
Unibot is a Telegram bot that allows you to trade tokens on Ethereum right inside the messenger. All funds are stored on addresses, which are generated by the bot. It also has users’ imported private keys. However, they are usually located on a third-party server.In addition to trading, Unibot allows users to track prices of tokens, follow other addresses, repeat their actions, and many other features.
According to the dashboard on Dune, Unibot is one of the biggest projects in terms of volume in the DEX bots segment.
How does Unibot work
The principle of Unibot's operation is simple: through a Telegram bot, you issue commands that are executed from your address using a special smart contract, which is commonly referred to as a "router". In order to perform swaps and other actions, you must first give approval to this router for token transactions.
In fact, you give the smart contract the ability to manage the tokens on your address. Normally, it executes user’s commands via a bot.
In general, everything is the same as in DeFi. However, instead of the wallet and DEXs, all operations take place through the Telegram bot.
How was Unibot hacked
On October 31, Lookonchain tweeted that more than $600,000 worth of crypto assets were withdrawn from a smart contract owned by Unibot.
Users were advised to revoke the smart contract approval to dispose of the funds on the wallet in order to save the remaining funds.
Later, the Unibot team confirmed the "token approval exploit" of their new router. They also stated that the private keys of the users' addresses are safe. The developers ensured people that funds which had been lost due to the hack would be compensated.
According to a Unibot developer, more than 110 tokens were affected by the exploit. As per PeckShieldAlert, the attacker exchanged stolen funds for 355 ETH on Uniswap and transferred them to Tornado Cash, trying to cover the tracks.
According to the security service Beosin, the attacker managed to exploit a vulnerability in the smart contract. A hacker broke the usual logic of smart contract’s work, and used it to withdraw the tokens from users' addresses that had been previously approved for trading on Unibot.
How UNIBOT price reacted to the hack
At one point, the UNIBOT price collapsed by 40% — from $59.8 to $33.1. However, now the value is around $40.
Be careful when using services like this. It is better to keep a small portion of funds on them, so not to lose everything you have. Read other security tips in our article, Crypto scam: how to protect yourself.
You might also like: