Unibot: Unvalidated arbitrary call in new router — transferFrom injection via approval drain
Unibot's new unverified router was exploited for $640K via an unvalidated arbitrary call that let attackers drain token approvals from user wallets, with copycat exploitation continuing after the announcement because the team failed to warn users to revoke.
Summary #
Unibot suffered a Telegram Trading Bot / DEX Router on 2023-10-31, resulting in a loss of approximately $640K.
What happened #
Unibot's new unverified router was exploited for $640K via an unvalidated arbitrary call that let attackers drain token approvals from user wallets, with copycat exploitation continuing after the announcement because the team failed to warn users to revoke.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: Unibot launched ~2023; new router deployed days before exploit]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — new router deployed 3 days before exploit]