OKEx - Leading Cryptocurrency Exchange Demo Trading
Academy Industry Analysis Article

UniCats mauls yield farmers as DeFi market hype dies down

2020.10.11 Matthew Lam

OKEx Insights' DeFi Digest is a weekly examination of the decentralized finance industry.

DeFi market snapshot

The decentralized finance market dipped this week as the total value locked in DeFi products fell from $11.1 billion to $10.1 billion. 

Uniswap maintained its position as the market leader with a 22% market share of the total USD value locked. The decentralized exchange also had the largest liquidity pool and extended its trading volume dominance from 54% to 62%.

In the decentralized lending sphere, Compound continued to dominate with a market share of 49%. Aave was in second place with a 37% market share.

Some key metrics in the DeFi world saw decreases with this week. Sources: DeFi Pulse and DeBank

DeFi tokens swimming in a sea of red

It has been a relatively static week in terms of major DeFi developments. Buying interest toward DeFi tokens waned and this led to sell-offs for most projects. As a result, the broader DeFi market was awash in a sea of red as some tokens saw dramatic price decreases.

Most DeFi tokens sustained losses this week, with some worse than others. Source: Coin360

DFI.money is the top loser with a 52% loss in value. The leading automated market makers were also among the hardest hit in this week's sell-off — Curve (CRV), SushiSwap (SUSHI) and Uniswap (UNI) took weekly losses of approximately 45%, 44% and 26%, respectively.

UniCats mauled yield farmers

UniCats, a yield-farming DeFi protocol similar to SushiSwap or YAM finance, drew the attention of the DeFi community this week as users lost their token balances as a direct result of the malicious smart contracts.

As unveiled by ZenGo researcher Alex Manuskin, an anonymous user, dubbed "Jhon Doe," lost UNI governance tokens worth $140,000 when they participated in UniCats yield farming. Data from Etherscan shows that the user being examined lost nearly 26,757 UNI and 10,703 UNI in two transactions on Oct. 4.

Anonymous Twitter user "Jhon Doe" lost more than 37,000 UNI in two transactions. Source: Etherscan

A common and dangerous loophole in DeFi

The UniCats's incident has once again exposed a common and dangerous practice in the DeFi sphere — namely, that protocol operators can request the authorization to withdraw an unlimited amount of tokens from customers' wallets. This practice can be done by UniCats' "setGovernance" function, which allows the platform to have full control over users' assets — even after users withdrew their assets from UniCats. 

In the case of "Jhon Doe," the user first deposited UNI into UniCats to participate in yield farming. Similar to the approval message of other yield-farming DeFi protocols, they approved the message in MetaMask to execute the deposit of UNI. However, the user was not aware that the approval message allows UniCats to withdraw their tokens at any time.

The approval message in MetaMask allows DApps to spend users' tokens. Source: Alex Manuskin on Twitter

According to Manuskin, UniCats exploits users' funds by first creating a new smart contract and passing the ownership of the farm to the new contract. When a user deposits funds to the smart contract, UniCats can withdraw the UNI and swap them for Ether in Uniswap. After swapping the funds in Uniswap, the ETH will then be transferred to UniCats' address. To cover the stolen funds' tracks, the UniCats team moved and mixed bulk transactions of 100 ETH with other funds via Tornado.cash. 

UniCats is not the first DeFi protocol to suffer from a smart contract loophole that authorizes infinite withdrawals. Bancor Network, an on-chain liquidity protocol, identified a similar loophole on June 17 that allows hackers to steal funds from users who interacted with Bancor's smart contract. When the Bancor team acknowledged the vulnerability, it decided to white-hat attack the contract before malicious actors could drain users' funds.

Loopholes and ERC-20 token limitations

Smart contract loopholes that authorize infinite withdrawals stem from ERC-20 limitations. Smart contracts based on the ERC-20 standard, such as Bancor and UniCats, cannot detect whether a user has transferred the funds to the contract. The contract requires a preset approval to transfer or withdraw funds on behalf of the user. The approval has typically been set as an infinite withdrawal, which mitigated gas fees and withdrawal approval times.

Alternative token standards attempted to resolve this loophole. For instance, the ERC-223 standard removes the need to approve withdrawals. However, the adoption of the ERC-223 standard is limited due to excessive gas usage and the friction created when migrating data from the ERC-20 to the ERC-223 standard.

In a comment to OKEx Insights, Manuskin believes that it is safest for yield farmers to only invest in well-established and audited DeFi protocols. He explained:

"Interacting with farms depends on how much risk you are willing to take on. There is always the safe route of only using well-established and audited contracts. This is not a guarantee of no security issues, but it is much better than nothing. Some users might want to 'degen' into new projects that might not have the time to undergo an official audit. Naturally, this is riskier. [But] if the project has real value, community members themselves may read the contract and perform an informal audit."

Furthermore, Manuskin believes users should pay attention to contracts that can be upgraded, as they present a particularly dangerous situation. He noted:

"Something to look out for is contracts that can be upgraded. This is a common design pattern, but if there is a single owner that can perform the upgrade, you are trusting them to not abuse their power. They might upgrade the contract to a malicious one, even if it is completely safe at first."

Be a rational yield farmer

The case of "Jhon Doe" and UniCats is merely a snapshot of the current state of yield farming, where users are willing to enter into unfamiliar or unaudited DeFi protocols to maximize their yield returns. This can also be seen in the recent security incident of Eminence Finance. An unfinished DeFi protocol by yield.finance founder Andre Cronje, Eminence suffered from a $15 million hack — though, half of the funds were returned. While Cronje claimed that the Eminence protocol was in the testing stage, some yield farmers still poured their funds into the protocol, without understanding how it works.   

With the hype surrounding yield farming starting to die down, the recent cases of UniCats and Eminence may be providing good reason for yield farmers to pause and take the time to invest rationally. Cronje also gave similar advice to yield farmers when he implored, "If you don't understand it, please don't use it."

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.

OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.

Follow OKEx Insights on Twitter and Telegram.  

Exclusive Reward for Newcomers

Earn free bitcoin worth $10 by signing up & placing your first order!