Telegram-based crypto trading platform Unibot suffers security breach; over $600,000 lost

Unibot, a Telegram-based crypto trading bot, has been exploited due to a suspected hacking incident. Users have been rushing to withdraw their funds from the platform, which specializes in connecting wallets to the decentralized exchange Uniswap and allowing users to execute token trades using Telegram-based tools. 

Etherscan data indicates that an exploiter has been moving users’ cryptocurrencies and exchanging them for Ethereum (ETH).

One week after Unibot was launched, the exploiter received 1 ETH as gas fee from FixedFloat coin mixer, as revealed by Scopescan. Analytics firm Lookonchain has reported that the exploiter has already pilfered over $600,000. Moreover, cybersecurity entity Beosin Alert has identified the root cause of the breach as a Call injection. This vulnerability enabled the attacker to insert custom malicious calldata into a specific method, thereby transferring tokens approved to Unibot contracts.

Unibot token price plummets

The immediate financial aftermath of the security lapse has been severe. The Unibot token price plummeted by 25.0% in one hour after the hack, trading at $42.42 at the time of this report, according to data from Coingecko.

The platform’s team confirmed the exploit on X (Twitter). They attributed the security lapse to a token approval exploit in their new router, which has now been paused to contain further damage. Additionally, the team assured users that compensation would be provided for any lost funds. Importantly, they stressed that users’ keys and wallets were not compromised.

In a similar vein, Unibot declared that it would reimburse any purloined funds. Consequently, the team paused the router’s operation to mitigate the issue. They reiterated the security of users’ keys and wallets, aiming to assuage concerns.

Significantly, this Unibot incident is the latest in a series of exploits that have plagued the crypto trading bot space, especially those operating on Telegram. Notably, last week, Maestro, a leading Telegram trading bot at the time, suffered a hacking incident that resulted in a loss of $500,000. Affected users were later reimbursed. Also, in September, Banana Gun, another top bot, saw its native token crash by 98% in a single day due to a smart contract glitch.

In light of these events, crypto trading bot users are urged to exercise caution. The growing incidents of security lapses underscore the risks involved in relinquishing control over private keys to trading bots. However, it remains to be seen how Unibot will shore up its defenses to regain user trust and prevent future mishaps.