October 31, 2023

Tracking the Unibot Hack

Unibot, a popular Telegram bot used to snipe trades on the decentralized exchange Uniswap, has recently been hacked, resulting in the loss of around $560,000 in user funds.

Unibot Hack Details

At around 5 AM UTC on October 31, the hacker exploited Unibot and started transferring meme coins from Unibot users. The hacker then exchanged the tokens, currently estimated to be worth $560,000, into $ETH. You can check the hacker's address 0x413e on Scopescan right now to track the transactions.

Unibot users are urged to immediately move their funds into a new wallet and to revoke approvals from the following smart contracts:

- 0x126c deployed by the Unibot team two days ago through 0x4080

- 0x2b32, 0x6b93, and 0x9838, deployed by the hacker's address itself.

Two days before the hack, the Unibot team deployed two new contracts, the first time they have done so since about five months ago. By comparison, in its early days, the team created a total of eight contracts.

Following the hack, the Unibot team deployed a new contract, likely due to post-hack security measures.

Interestingly, the hacker's address was funded with 1 $ETH through a transaction made on the FixedFloat DEX on May 25, just days after Unibot's token was launched on May 21.

Soon after the exploit had taken place, the Unibot team released the following statement: "We experienced a token approval exploit from our new router and have paused our router to contain the issue. Any funds lost due to the bug on our new router will be compensated. Your keys and wallets are safe. We will release a detailed response after [the] investigations conclude."

UPDATE (as of 7 AM UTC): Another address 0x835b deployed a contract that is similar to the contracts used by hacker 0x413e. It has also started receiving crypto tokens from Unibot users.

The 0xScope team will continue to investigate the Unibot attack and post further updates here and on our social media accounts.

About Unibot

Launched on May 20, Unibot is one of the more well-known brands among Telegram trading bots, or tools that allow users to trade crypto tokens within the Telegram app, making it convenient for traders to snipe opportunities in DEXes. The free-to-use bot boasts fast trading speeds of about 6x the pace of manually using Uniswap. Features include limit orders, sniper tools for copy trading, fail guard selling, profit-and-loss analysis, and private transactions that are protected from MEV bots.

As of October 30, Unibot is the leading Telegram bot by DEX volume market share at 38.7%, with ChainGPT at a distant second with 14.9%. Over its five months of operations, Unibot accumulated 9,445.07 $ETH in total fees, including 7,470.45 $ETH in tax fees and 1,974.63 $ETH in bot fees, from $400.8M in lifetime trading volume and 651,432 lifetime trades. Daily trading volume peaked at $9.04M on August 29, while peak DEX trades were at 10,852 transactions on August 28. The bot's recent average daily volume over the past 7 days is at $2.8M.

Security Concerns on Telegram Bots

The Unibot hack highlights the inherent risks in using Telegram bots for trading crypto tokens. Manually trading on DEXes involves the use of self-custody crypto wallets. Meanwhile, when users create an account in a Telegram bot like Unibot, they are required to use the wallets that the bot provided to start trading, similar to the way centralized exchanges operate. This way, Telegram bots are able to offer fast trading speeds in exchange for some custody-related risks.

This arrangement makes Telegram bots vulnerable to unauthorized token transfers to third-party wallets or the release of private keys, putting the funds you entrusted to Telegram bots at risk.

The 0xScope team will continue to investigate this incident. Follow Scopescan on Twitter/X for more updates.

Additional sources: tk and Fudzy on X

Visit 0xScope

0xScope | Scopescan | Link3 | X | Telegram | Youtube | Discord