This is how to get free $40000
So it is 2 am, and I need to go to bed. I see Paul Razvan Berg tweeting about a “hack”.
So I open up the link and see a bunch of transactions originating from
to various addresses. The common theme among the destination addresses is that all of them are inactive now for some time. One could then think that perhaps it is all the same owner. That is a plausible scenario. But that would be too easy. Let’s dig deeper. How could you possess the private keys of these accounts? Well, you could have been hacked before, or you may have dropped your private key into Pastebin? Or maybe a gist? Or perhaps committed it on GitHub? Or maybe posted somewhere on your wall on Vkontakte and thought it was private? There are a gazillion ways that you may have leaked the private key. Therefore, another plausible scenario is that the “attacker” has already collected a bunch of private keys. If you use advanced Google search operators, it is relatively easy to find a bunch of private keys. That is how you redeem $40k worth of $UNI
Granted, this isn’t a lot given how many $UNI tokens will be minted and how much volume there is in $UNI pools. The “attacker” hasn’t stolen anything either. What he did do is show once again that no matter how well established and how well audited you may be, you are never 100% protected against “hacks”, for the lack of a better word. I would not say that the pool significantly suffered from this withdrawal since at the time of writing UNI-ETH is at $30 mil. What is disappointing is that this is such a small “hack” that most will probably ignore it. This poses an important question, that shares the ground with something that Vitalik mentioned on Kernel’s fireside. It is the choices that you are presented within web3. The context was within Ethereum, in particular. On the one hand, you can get a grant from Gitcoin or Ethereum Foundation (albeit a modest one, most likely) and on the other, you can launch a flashy ICO, or as is fashionable these days something wrapped in governance. Likewise, some people genuinely struggle with finances and may even be “forced” into actions like this. There were worse hacks since in this case, no money was directly stolen since those accounts were inactive. You could argue that the person could have claimed the tokens themselves in the future, and I agree. However, their keys are compromised, and if they were to be oblivious to this airdrop and deposited into those addresses, it could have even turned sourer. Now this sounds like it was me who hacked $UNI from the way I am “defending” their actions, but I assure you it wasn’t me, if it were, I would have put it into a pot for those very same accounts to claim the $UNI from, and if they wouldn’t after some time (a year? maybe more) it would all go into Gitcoin Grants or similar
I will finish off by saying that it is remarkable that all of the transactions in this “hack” were manual. There was just someone sitting at their computer, and pushing send buttons