Decentralized finance protocol UniLend Finance has reportedly been exploited on Ethereum, leading to a loss of roughly $197,000 worth of assets.
On Jan. 12, real-time web3 security startup TenArmorAlert reported that an attacker exploited UniLend’s “redeem process” by manipulating a flaw in the share price calculation. This allowed the attacker to artificially inflate their collateral value and drain funds from the pool.
The attacker deposited USDC and Lido Staked Ether (stETH) as collateral, borrowed the entire pool’s stETH, and then redeemed their initial deposits without repaying the borrowed tokens, effectively depleting the pool.
At around 11:19:59 AM UTC, the exploit transaction was executed, with losses initially estimated by TenArmorAlert at $196.2K. However, a subsequent update from web3 security firm SlowMist placed the total losses slightly higher at $197.6K.
As of publication, UniLend Finance had not addressed the exploit and request for additional insights from crypto.news remained unanswered.
The DeFi sector has remained a prime target for bad actors in recent years. According to blockchain forensic firm PeckShield, approximately 60% of all exploits and scams in 2024 targeted this sector.
One of the biggest exploits in 2024 was that of Radiant Capital, allegedly executed by the notorious Lazarus Group, resulting in a $50 million loss. The attackers impersonated a trusted former contractor of the DeFi protocol to deploy malware across the devices of at least three of the project’s developers.
In November 2024, Thala protocol’s liquidity pools were drained for approximately $25.5 million, with the attacker leveraging a vulnerability in the protocol’s farming contracts. Fortunately, the attacker agreed to a $300,000 bounty and returned all stolen assets.
