Learn to identify and avoid Multicall signature phishing
Educational Purpose Only
Attackers are now exploiting legitimate Uniswap V3 Multicall contracts to steal tokens from
unsuspecting users. This challenge will teach you how to identify and protect yourself from these
sophisticated phishing attacks.
In this simulation, you'll experience how scammers trick users into signing malicious permit
authorizations that appear to come from legitimate Uniswap contracts.
transferFrom(address from, address to, uint256 value)
Note: This transaction uses a previously signed Permit signature to
authorize the Multicall contract to transfer your tokens.
Phishing Attack Detected!
You just encountered a Uniswap V3 Multicall phishing attack. The signature request you received
was malicious!
Here's what happened:
You were asked to sign a permit for a legitimate Uniswap V3 Multicall contract
The phisher used the Multicall's aggregate function to bundle multiple calls
This would allow them to execute both a permit and a transfer in a single transaction
Even though the contract address is legitimate, the transaction itself was malicious
Important Security Note: This method has been used by Drainers to bypass wallet
security mechanisms. By bundling multiple operations into a single transaction through
Multicall, attackers can obscure the true intent of the transaction, making it difficult for
wallet security features to detect the malicious activity.
Understanding Uniswap V3 Multicall Phishing
The Uniswap V3 Multicall contract is a legitimate contract that allows bundling multiple
transactions into one. However, attackers can abuse this functionality:
How the Attack Works:
Attackers create transactions using the legitimate Uniswap V3 Multicall contract
They use the aggregate function to bundle multiple calls together
This includes a permit call (using your signature) and a
transferFrom call
The bundled transaction allows them to authorize and transfer tokens in a single transaction
Why it's dangerous:
The contract address is legitimate, so it may not trigger security warnings
The true purpose of the transaction is hidden within bundled calls
The encoded call data is difficult for users to interpret
By separating permit signing from the actual transfer, wallet security checks may miss the
attack
Complete the Challenge
To complete this challenge, identify the correct answers:
Challenge Completed!
Great job identifying the Uniswap V3 Multicall phishing attack! Here's how to protect yourself:
Always verify signature requests carefully, especially for bundled transactions
Be suspicious of functions like aggregate or multicall that can
hide malicious operations
Check the actual calldata being executed, not just the contract address
Use wallets with advanced transaction simulation capabilities
