Unibot Update 🦄🤖
The token approval exploit we suffered on Oct 31 has been fully addressed and trading with Unibot is back to normal. As stated previously, the issue was solely related to trades made against a newly deployed router contract that was vulnerable to attack. The issue was isolated to tokens and did not affect ETH balances. The refunds have been processed, but it was a complex process so we will review any cases that necessitate it. Please follow below for the full detail.
Summary of Events
At around Ethereum block number 18467790, malicious actors deployed a contract and began to attack the Unibot router. The attackers funneled tokens out of around 600 affected wallets that had granted token approvals to the newest Unibot Router (which had begun receiving volume about 18 hours prior to the incident). In total around $600k was lost in the exploit which the Unibot team has covered in full with a cost basis of $1.78m.
Shortly after, the team responded by halting any further trades via the vulnerable contract. Thereafter we began revoking any problematic token approvals in affected user wallets to mitigate further losses. Several users withdrew their ETH which prevented our approval revocation. We sent ETH to the relevant wallets in order to revoke approvals and complete our exploit mitigation.
Remediation
After mitigating the exploit, the majority of our time was spent recouping lost tokens for our users. We concluded that the following approach for the refund would be the most equitable solution:
1. Market bought majority of the tokens that were lost (141 of the 164 affected tokens, ~ 86%).
2. For
@joecoin_, our biggest impacted coin in value, we recovered the entire lost token balance in full (~$370k at the time of refund).
3. Likewise, for tokens such as
$DAVID,
$AIX,
$MSTR,
$BCAT,
$TISM, and
$CHAINS we recovered 100% of the tokens. In the case of
$TISM,
$KEKEC and
$BCAT we also added 50% of the ETH value at the time of the exploit to compensate for the significant price fall.
4. For tokens that had dropped significantly in value (e.g.
$MILK) by the time of refund, we sent the ETH value at the time of the transfer exploit.
5. For other tokens that had low market cap, or had poor liquidity relative to value, we gave a full refund in ETH at the time of exploit with an additional 20-35% bonus (e.g.
$ACAT).
Although we made our best effort, please be mindful that low-cap token prices can be quite volatile. The refund process took quite a number of hours due to its complexity, hence some token prices may have moved unfavourably in the interim. Reach out to us if you have concerns.
In addition, we have two updates:
- For the next 10 days, trading fees are reduced to 0% for all Unibot transactions
-
$UNIBOT holders revenue share increase from 2 -> 3% for the month of November. To put it simply, during this period, 100% of token taxes will be directed back to our valued holders.
After a short rest we will follow up with an announcement when these bonuses are in effect.
To our users and our community, we sincerely apologize. You all expect us to deliver at a high level of standards that we've set from the onset, and we will do everything to continue delivering at those standards.
We'll be working with tier 1 auditors to strengthen our security around new features and push industry leading practices in protecting our users.
"The only real mistake is the one from which we learn nothing." - Henry Ford
We will come back stronger from this just like we did from our initial migration. Thank you everyone for your love and support. Lastly, please join our Telegram if you have more questions or concerns.