Decentralized finance protocol UniLend Finance was reportedly mined on Ethereum, resulting in a loss of assets worth approximately $197,000.
On January 12, TenArmorAlert, a real-time Web3 security startup, reported that an attacker had exploited UniLend’s “buyback process” by manipulating a flaw in the stock price calculation. This allowed the attacker to artificially inflate the value of their collateral and drain funds from the pool.
The attacker deposited USDC and Lido Staked Ether (stETH) as collateral, borrowed all of the stETH from the pool, and then repurchased his initial deposits without repaying the borrowed tokens, thereby depleting the pool.
At approximately 11:19:59 UTC, the exploit transaction was executed, with losses initially estimated by TenArmorAlert to be $196.2K. However, a later update from web3 security firm SlowMist placed total losses slightly higher at $197.6k.
At the time of publication, UniLend Finance had not resolved the exploit and crypto.news’ request for additional information remained unanswered.
The DeFi sector has remained a prime target for bad actors in recent years. According to forensics firm PeckShield, approximately 60% of all exploits and scams in 2024 targeted this sector.
One of the biggest exploits of 2024 was that of Radiant Capital, which was allegedly executed by the famous Lazarus Group, resulting in a loss of $50 million. The attackers posed as a trusted former DeFi protocol entrepreneur to deploy malware on the devices of at least three of the project’s developers.
In November 2024, Thala Protocol’s liquidity pools were depleted by approximately $25.5 million, with the attacker exploiting a vulnerability in the protocol’s farming contracts. Fortunately, the attacker accepted a $300,000 bounty and returned all stolen property.
