October 31, 2023
Unibot Exploited - Examining the Security Risks of Telegram Bots
On October 31, according to Beosin’s EagleEye, the previously trending Unibot was unexpectedly attacked by hackers, sparking considerable market attention: https://eagleeye.space/address/0x413e4Fb75c300B92fEc12D7c44e4c0b4FAAB4d04
Despite the attack revelation, hackers continued the assault and proceeded to transfer stolen assets, causing the associated token’s value to drop briefly to around 33.02 USDT, marking a 35% decrease within 24 hours.
Unibot, as previously introduced in our articles, is a Telegram trading bot that allows users to interact to monitor liquidity pools, trade tokens, and replicate others’ trades. Its market value had surged from $30 million to over $100 million back in August, grabbing market attention, but the security issues remain unaddressed.
In today’s security incident, the Beosin security team analyzed that Unibot’s vulnerability to attacks was rooted in Call Injection, resulting in a loss of $640,000. Beosin advises users to cancel authorizations on Revoke to avoid further financial losses. Link: https://revoke.cash/
Beosin Trace has traced the stolen funds and discovered that the hacker has currently moved the stolen funds to the mixer platform Tornado Cash for laundering.
The Security Risk of Telegram Bot Unibot
Telegram bot risks align with those of centralized exchanges. To use Telegram bots, users need to import private keys, making them susceptible to being read by other software during the process. Once private keys are imported into Telegram bots, user-controlled encryption assets are no longer under their control.
2. Security Risks
Most Telegram bots are not open-source and lack third-party code audits. Potential vulnerabilities in these bots might result in asset losses. If a user’s Telegram account is attacked (a common occurrence in phishing attacks on Telegram accounts), the assets on the Telegram bot would fall under the hacker’s control.
During the Telegram bot trend, instances of phishing and scams involving these bots continue to emerge. These bots claim to be automatic trading or front-running bots, induce users to import private keys, and then transfer funds without user permission.
The Importance of Smart Contract Audits and User Safety Measures
Smart contract audits are crucial within the Web3 ecosystem. Vulnerabilities and security issues in smart contracts might lead to fund losses, data breaches, or contract manipulations. Audits help identify and rectify potential vulnerabilities and weaknesses, ensuring the safety and reliability of contracts. Thorough contract reviews can prevent potential attacks and guarantee user fund and data security.
Additionally, when selecting projects, users should:
1. Conduct comprehensive research. Users should thoroughly understand the operational logic and potential risks of the project through the project’s official website, documentation, community channels, code audit reports, and other means to avoid falling for scams.
2. Stay updated on the latest project developments. Users should keep abreast of the project’s progress through official Twitter, Telegram groups, Discord channels, or other means to respond quickly to Rug Pulls, contract vulnerabilities, or hacker attacks.
3. On Beosin EagleEye, users can input a token’s contract address to have the platform inspect its contract code and receive relevant risk alerts.
If you need any blockchain security services, welcome to contact us:
Related Project Secure Score
Guess you like
Successful Conclusion of Beosin's Jasper's Lectures at Nanyang Technological University, Singapore
October 27, 2023
Unveiling Celestia: A Prelude to a Modular Blockchain Ecosystem and Its Token Dynamics
November 01, 2023
Blockchain Security Recap of October: $51.61M Lost in Attacks
November 01, 2023
Focusing on EVM and Cosmos SDK chains, Beosin provides security services for the Celestia ecosystem
November 01, 2023