The latest victim in the ever-growing list of crypto hacks is Unibot, a popular trading tool on Telegram.
Today, alarm bells rang after the project revealed a "token approval exploit" impacting Unibot. "Your keys and wallets are safe," the project wrote, adding that all funds impacted by the bot's "new router" will be compensated.
A "token approval exploit" refers to a vulnerability in smart contract permissions, allowing unauthorized access or movement of a user's tokens beyond the intended limit.
Initial estimates suggested that around $640,0000 worth of cryptocurrency had been affected. Subsequent investigations also revealed that the siphoned funds were moved quickly and converted to Ethereum.
Unibot is a popular Telegram-based trading tool that gained significant traction due to its user-friendly interface. In a nutshell, Unibot lets users swap cryptocurrencies without having to leave the messaging app. Beyond that, though, users can also copy other traders' strategies and enjoy MEV-protected trading.
The app's popularity has been reflected in the value of its native token, which, in its heyday, reached a staggering $236 in mid-August.
However, the exploit news triggered a drastic plunge in the token’s price, bringing it down from $57.56 to a meager $32.94, according to data from CoinGecko. The UNIBOT token is now trading hands at $45.7.
The exploiters initially transferred the stolen assets to Uniswap, a decentralized exchange, before moving them through Tornado Cash.
Unibot joins annals of crypto exploits
Though this is one of the first high-profile Telegram bot exploits, the broader crypto landscape has been rattled by security lapses.
Only a week before the Unibot exploit, some LastPass users reported losing another $4.4 million worth of crypto. Though the regular exploits over the past 10 months had baffled many as they arrived seemingly without rhyme or reason, security experts are now pointing to a LastPass exploit from last December.
Another key vulnerability in the crypto space has been inter blockchain bridges that let users swap assets between incompatible networks. In August, the Optimism-based lending platform Exactly was exploited for $7 million. It's not a sum to balk at, but it's also one of the smaller hauls compared to other higher-profile bridge hacks.
Take for example Axie Infinity's Ronin bridge, which was exploited in March 2022 for an estimated $622 million. There's also the Wormhole exploit, which saw a whopping $320 million nabbed by exploiters.
As the crypto realm continues its march into the mainstream, these incidents serve as stark reminders of the challenges that lie ahead.
Editor’s note: This article was written with the assistance of AI. Edited and fact-checked by Liam Kelly.