interface icon indicating copy to clipboard operation
interface copied to clipboard
verified publisher icon Uniswap

URGENT: Phishing attack through "Send tab" auto suggest

Open eltNEG opened this issue 1 year ago • 1 comments

My team got phished through the auto-suggest on the send tab interface. The attacker crafted an address that looks very similar to our destination address. The attacker then performed a zero-value transaction to emit a transfer event from my team's address to the crafted destination.

From Address: 0x7B8B698c2c62640a43DD187777DAf8C82F03a424
intended to address: 0xb8dcd6569453ede9a31f36a54e1534da79049ec0
attacker's to address: 0xB8D9B3186E9A4A8c104d9F7EE159B8d0C66b0Ec0

Note that the first five and last three characters are the same for the intended and the attacker's address (0xB8D....Ec0)

The transaction used by the attacker to make his account appear as a recently used address on uniswap: https://polygonscan.com/tx/0x4ded02c9aefdce54e523748e74c2275a51aa16c968b44073d97481686ec15eab

In the above transaction, he sent 0 value from 0x7B8B698c2c62640a43DD187777DAf8C82F03a424 to his own crafted address 0xB8D9B3186E9A4A8c104d9F7EE159B8d0C66b0Ec0

Attack interface: Screenshot 2024-02-20 at 09 19 49

Suggestion:

Remove auto-suggest on the sending interface or, at best, only suggest a previously used address entered manually on Uniswap.

PLEASE IMPLEMENT THIS FAST BEFORE MANY PEOPLE GET HURT!

eltNEG avatar Feb 20 '24 14:02 eltNEG

More about this there needs to be a better way to represent addresses, "We should not truncate them" not just for uniswap but for major wallet providers. we are placing a nice UI over security thats an imbalance

bizmindx avatar Feb 26 '24 10:02 bizmindx