This is how to get free $40000
So it is 2 am, and I need to go to bed. I see Paul Razvan Berg tweeting about a “hack”.
So I open up the link and see a bunch of transactions originating from
0x0531242C5d7e00d23cfEbEE9ab0d13E700121547
to various addresses. The common theme among the destination addresses is that all of them are inactive now for some time. One could then think that perhaps it is all the same owner. That is a plausible scenario. But that would be too easy. Let’s dig deeper. How could you possess the private keys of these accounts? Well, you could have been hacked before, or you may have dropped your private key into Pastebin? Or maybe a gist? Or perhaps committed it on GitHub? Or maybe posted somewhere on your wall on Vkontakte and thought it was private? There are a gazillion ways that you may have leaked the private key. Therefore, another plausible scenario is that the “attacker” has already collected a bunch of private keys. If you use advanced Google search operators, it is relatively easy to find a bunch of private keys. That is how you redeem $40k worth of $UNI
Granted, this isn’t a lot given how many $UNI tokens will be minted and how much volume there is in $UNI pools. The “attacker” hasn’t stolen anything either. What he did do is show once again that no matter how well established and how well audited you may be, you are never 100% protected against “hacks”, for the lack of a better word. I would not say that the pool significantly suffered from this withdrawal since at the time of writing UNI-ETH is at $30 mil. What is disappointing is that this is such a small “hack” that most will probably ignore it. This poses an important question, that shares the ground with something that Vitalik mentioned on Kernel’s fireside. It is the choices that you are presented within web3. The context was within Ethereum, in particular. On the one hand, you can get a grant from Gitcoin or Ethereum Foundation (albeit a modest one, most likely) and on the other, you can launch a flashy ICO, or as is…
