Unibot Hacked, Raising Concerns About TG Bot Security

Today, according to user feedback in the community, the Telegram Bot project Unibot appears to have been compromised. Attackers are transferring tokens from Unibot users and converting them into ETH.

As the stolen funds continue to increase and the vulnerability remains unpatched, the price of $UNIBOT tokens has dropped from $58.38 to the current price of $44.89.

Security firm BlockSecTeam's analysis suggests that the function 0xb2bd16ab in the 0x126c contract lacked input validation due to its closed-source nature, allowing arbitrary calls. Consequently, attackers can invoke “transferFrom” to move tokens approved within the contract. BlockSecTeam advises users to revoke contract approvals promptly and transfer funds to a new wallet.

Beosin's security team's analysis points to the fundamental cause of the Unibot attack being CAll injection. Attackers can pass custom malicious call data to the 0xb2bd16ab contract, facilitating the transfer of tokens approved by the Unibot contract. Beosin Trace is actively tracking the stolen funds, and Beosin reminds users that they can revoke wallet authorizations on Revoke.

Unibot announced on X platform that they encountered a token approval vulnerability in their new Router and have temporarily halted their Router to contain the issue. They assured that any financial losses caused by the new Router issue would be compensated, and emphasized that keys and wallets remained secure.

As of the latest update, the bug in Unibot has not been fixed. Previously, a similar Telegram Bot project called Maestro was compromised, and the team spent 610 ETH to compensate affected users. With Telegram Bot tools, users do not have control over their private keys, and as multiple users have been victims of such incidents, it has raised concerns about the security of these tools.