Unibot was attacked and lost more than $600,000, and the security of TG BOT was questionable

Original | Odaily

Author | Qin Xiaofeng

! [Unibot was attacked and lost more than $600,000, and the security of TG BOT is questionable] (https://img-cdn.gateio.im/webp-social/moments-7f230462a9-1979bb04a2-dd1a6f-69ad2a.webp)

This afternoon, several community members reacted that Unibot, a Telegram bot project, had been attacked. According to Scopescan’s monitoring, the attackers transferred tokens from Unibot users and are in the process of exchanging them for ETH, with losses of more than $600,000 so far.

As soon as the news came out, the token UNIBOT fell from a minimum of 55 USDT to 33 USDT, with a maximum drop of 40%, and is currently trading at 39.5 USDT.

! [Unibot was attacked and lost more than $600,000, and the security of TG BOT is questionable] (https://img-cdn.gateio.im/webp-social/moments-7f230462a9-64fa992197-dd1a6f-69ad2a.webp)

Security Company: Decommission as soon as possible

Security agency BlockSecTeam analyzed that since the code is not open source, it is suspected that the function 0xb2bd16ab in the 0x126c contract lacks input validation, allowing arbitrary calls. Therefore, an attacker can call “transferFrom” to transfer out the approved tokens in the contract. BlockSecTeam reminds users to revoke contract approvals as soon as possible and transfer funds to new wallets.

! [Unibot was attacked and lost more than $600,000, and the security of TG BOT is questionable] (https://img-cdn.gateio.im/webp-social/moments-7f230462a9-932721cdff-dd1a6f-69ad2a.webp)

According to the analysis of the Beosin security team, the root cause of the attack on Unibot is CAll injection, and the attacker can pass custom malicious call data to the 0xb2bd16ab contract, thereby transferring the tokens approved by the Unibot contract. Beosin Trace is tracing the stolen funds, and Beosin reminds users that they can deauthorize their wallets on Revoke by linking: The address associated with the attack is as follows:

Hackers have been dormant for half a year to attack

One of the strange points of Unibot this time is that the hacker’s address has been squatting since the deployment of the Unibot contract in May this year. According to Scopescan, the hacker received 1 ETH from FixedFloat (coin mixer) as the gas for the attack a week after the launch of Unibot, and there has been no related action for half a year since then, until today.

Many users in the crypto community speculated that this attack may have been done by Unibot insiders, because the accident occurred very coincidentally, which happened to be the window period after Unibot replaced the new contract (the new contract was upgraded only two days ago), and the hackers easily found the contract vulnerability.

On-chain information shows that the hacker’s wallet address currently has about $630,000 in remaining assets, and the largest proportion of remaining assets is ETH, which is about $573,000, and other stolen assets involve currencies as follows

! [Unibot was attacked and lost more than $600,000, and the security of TG BOT is questionable] (https://img-cdn.gateio.im/webp-social/moments-7f230462a9-b9cee2b04c-dd1a6f-69ad2a.webp)

In addition, according to Lookonchain monitoring, one user’s assets were stolen twice in this attack. The user account initially received 20, 789 USDC, spent $1,000 on SMilk, and the remaining $19, 789 worth of USDC was stolen by the attackers, but the user didn’t notice it. This afternoon, this user sold SMilk at $2, 194 and made $1, 194 (yield 120%); An hour later, the last remaining $2194 in USDC was stolen again.

There is a vulnerability in the router and the attack is still ongoing

Unibot officially announced that the attack is mainly due to a token approval vulnerability in the new router, and the router has been suspended; Any loss of funds due to the vulnerability will be compensated and Unibot will issue a detailed response after the investigation is concluded.

! [Unibot was attacked and lost more than $600,000, and the security of TG BOT is questionable] (https://img-cdn.gateio.im/webp-social/moments-7f230462a9-e058b238ba-dd1a6f-69ad2a.webp)

Community user @tomkysar stated that the attack against Unibot is still ongoing, and it appears that the two attacker addresses are still able to obtain funds from the 0x126 Router’s approved addys, and that user funds are still at risk.

Scopescan also posted that a new Unibot attacker has emerged, deploying the same contract as the previous attacker, and is stealing user funds.

BOT PRODUCT SECURITY IS QUESTIONABLE

Unibot is a popular new Telegram Bot that allows users to trade cryptocurrency currencies without leaving the Telegram app. The bot is easy to use, trades fast, and offers a variety of features, such as decentralized copy trading, DEX-based limit orders, and protection against MEV bots.

According to CoinGecko data, UniBOT has earned 8,950 ETH since its inception, ranking second among all BOT products. Maestro ranked first, with a cumulative income of 13,200 ETH; Banana Gun ranked third with a yield of 1,940 ETH.

However, there are also significant security risks associated with bot products, especially the recent router vulnerability in the Maestro contract, which resulted in a loss of about 281 ETH — a vulnerability that allows an attacker to transfer any approved tokens on its Router 2 contract ( ). In the end, Maestro chose to compensate some of the user’s losses.