On January 12, 2025, decentralized finance (DeFi) protocol UniLend Finance suffered an exploit resulting in a loss of approximately $200,000. The attacker exploited a vulnerability in the token redemption process, manipulating the share price and leading to an incorrect calculation of the attacker's collateral value by the protocol.
Details of the Exploit
UniLend Finance acknowledged the security breach, noting that the loss represented about 4% of the platform's total value locked (TVL) of $4.7 million. They assured users that UniLend V1 funds remained secure and advised against depositing into V2 until further notice. The attacker initiated the exploit by depositing substantial amounts of USDC and Lido Staked Ether (stETH) into UniLend Finance. By manipulating the collateral calculations, the attacker was able to borrow more stETH than the deposited collateral would typically allow.
The core issue resided in the redeemUnderlying function's improper health factor validation. The attacker exploited this flaw by utilizing a flash loan and deposited 60 million USDC and 6 stETH into the UniLend platform. With the manipulated health factor, the attacker borrowed 60.67 stETH, surpassing the typical borrowing limits. The attacker then redeemed the deposited collateral without repaying the borrowed stETH, effectively draining the pool's assets. This sequence of actions led to a total loss of approximately 61 stETH, equivalent to around $200,000 at the time of the attack.
UniLend’s Response
Following the incident, UniLend Finance acknowledged the security breach, stating that it affected approximately 4% of the platform's $4.7 million Total Value Locked (TVL). They assured users that UniLend V1 funds remained secure and advised against depositing into V2 until further notice. Additionally, UniLend extended a 20% bounty offer to the attacker for the safe return of the stolen funds.
This exploit shows the critical importance of rigorous security measures within DeFi protocols. To prevent similar situations, it is important to ensure that accurate collateral calculations and audits are conducted.
The UniLend Finance exploit underscores the critical importance of rigorous security measures in DeFi protocols. Identifying and addressing vulnerabilities proactively is essential to protect user assets and maintain trust in decentralized financial systems.
FAQs
1. What was the impact of the UniLend Finance exploit?
The exploit resulted in a loss of approximately $197,600, accounting for about 4% of UniLend's total value locked (TVL) of $4.7 million.
2. How did the attacker exploit the UniLend protocol?
The attacker manipulated a vulnerability in the token redemption process, affecting the share price calculation and leading to incorrect collateral valuation.
3. What steps did UniLend take following the exploit?
UniLend advised users to refrain from depositing into V2, confirmed the security of V1 funds, and offered a 20% bounty for the return of the stolen assets.
.png)
