Unibot Router Token Approval Drain

On October 31, 2023, the popular Telegram trading bot Unibot lost approximately $640,000 through a token-approval vulnerability in a newly-deployed router contract. Users who had granted approvals to the new Unibot router could have their tokens transferred out by the attacker. Unibot publicly committed to and delivered full reimbursement of affected users.

What happened

Unibot is a Telegram-based trading bot — users interact with it via chat, and it executes on-chain trades from bot-managed or bot-approved wallets. Like any router/aggregator, it relies on users granting token approvals to its contracts.

Unibot deployed a new router contract. That contract contained a vulnerability — a missing or inadequate validation in a transfer path — that let an arbitrary caller invoke transfers against any wallet that had approved the new router. The exact shape is the recurring "approval-holding contract with an unvalidated transfer path" pattern:

1. The attacker identified the vulnerability in the freshly-deployed router.
2. For each wallet that had approved the new Unibot router, the attacker called the vulnerable function specifying the victim as source and themselves as destination.
3. Drained approximately $640K across affected users before the contract was paused.

Aftermath

• Unibot paused the affected router and urged users to revoke approvals.
• The team publicly committed to fully reimbursing all affected users and delivered on it, using revenue/treasury.
• The UNIBOT token dropped sharply on the news but partially recovered following the reimbursement commitment.

Why it matters

Unibot belongs to the Telegram-trading-bot risk class alongside Banana Gun (2024) and others — a product category that grew to enormous trading volume in 2023-2026 but whose security model layers multiple fragile dependencies (Telegram auth, bot-managed key custody, fast-shipping router code).

The specific bug — a newly-deployed approval-holding router with an unvalidated transfer path — is the exact pattern of Furucombo (2021), Transit Swap (2022), LI.FI (2024), and Unizen (2024). The recurring shape:

• Users grant infinite/standing approvals to a router for UX convenience.
• The team ships a new router version quickly.
• The new version's transfer path lacks rigorous caller/source validation.
• Every user who ever approved the router is exposed to the new version's bugs.

The structural lesson, repeated across the catalogue: infinite approvals are infinite trust extended forward in time to code that does not yet exist. Every future router deployment by a protocol you've approved inherits your standing approval. The defensive answers — bounded approvals, EIP-2612 permits with expiry, regular revocation hygiene, and treating every router upgrade as a fresh audit target — are well-documented; the bug keeps recurring because router code ships fast and users almost never revoke.

Unibot's clean full-reimbursement response is the redeeming feature of the incident — and increasingly the expected baseline. By late 2023, a trading-bot operator that suffered a bug and didn't make users whole would not survive the reputational consequence; the ones that survive are the ones that treat reimbursement as non-negotiable. That norm — established incident by incident across this catalogue — is one of the few genuinely positive trends in the dataset.