Changpeng Zhao claims Uniswap bug led to theft of 4,000 ETH, was it a false alarm?
Earlier today on 7/12, Binance founder Changpeng Zhao (CZ) issued a warning on Twitter, stating that the team had detected a potential vulnerability in Uniswap, with attackers successfully stealing 4,295 ETH and laundering it through Tornado Cash. However, after contacting Uniswap, it was discovered that it was the Uniswap liquidity providers and users themselves who fell victim to a phishing attack.
This false alarm led to CZ facing criticism, with the community believing that someone with such influence should not spread FUD (fear, uncertainty, doubt) publicly without verifying the information first. However, some also pointed out that both Binance and Uniswap reacted promptly, bringing more attention to the issue.
Table of Contents
4,295 ETH Stolen
A warning issued by CZ, as quoted in the introduction, seeking to contact Uniswap for further assistance.
Our threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain. The hacker has stolen 4295 ETH so far, and they are being laundered through Tornado Cash. Can someone notify @Uniswap? We can help. Thankshttps://t.co/OV3g7ayf77
— CZ 🔶 Binance (@cz_binance) July 11, 2022
Uniswap Response
Uniswap founder Hayden Adams stated that this was due to liquidity providers falling victim to a phishing attack, approving malicious transaction contracts, resulting in the theft of Liquidity Provider (LP) NFTs. He emphasized that this "vulnerability" is entirely independent of the protocol and unrelated to Uniswap.
However, Adams mentioned:
This serves as a good warning to users to protect themselves from phishing attacks and avoid clicking on malicious links.
Note: Uniswap's LP NFT represents ownership proof of the funds provided by the user as liquidity, and anyone holding this NFT has the right to redeem the corresponding funds in the Uniswap liquidity pool.
CZ later responded, stating that the protocol itself is secure and the attack originated from phishing. Both teams responded promptly, but he apologized for the unnecessary alarm.
Community's Positive and Negative Responses
ChainLink community ambassador "ChainLinkGod" and Terra ecosystem whistleblower "FatMan" expressed strong dissatisfaction with CZ's mistaken alert.
ChainLinkGod believes it was a very irresponsible tweet; FatMan stated that CZ's alert was very foolish, even if it was a vulnerability, it should have been privately discussed with the team, and Binance's team would not have mistaken it as a vulnerability if they had bothered to check.
Stupid as f*ck to tweet this out instead of asking the team privately even if it *was* an exploit. The fact that it has nothing to do with the contract (and the Binance team didn't bother checking this) makes it so much worse.
— FatMan (@FatManTerra) July 11, 2022
Some also argue that CZ's tweet prompted a swift response from Uniswap. One user asked, if FatMan had issued the warning, would everyone have believed and acted so promptly?