UniLend Finance, a DeFi protocol, has reportedly lost funds to an attacker. As reported by SlowMist, a Blockchain security firm, the attacker exploited a vulnerability on the DeFi protocol’s redeem process, allowing him to steal $197.6K. The attacker manipulated the protocol’s share price, leading to miscalculation of the collateral value by the protocol allowing him a chance to drain the protocol’s pool.
https://twitter.com/SlowMist_Team/status/1878651772375572573
What Really Happened?
In the attack that happened on Jan. 12, 2025, the attacker made a deposit to the platform in USDC and Lido Staked Ether (StETH). He then went ahead to borrow all the pool’s StETH using the USDC and StETH deposited earlier as collateral.
After receiving the borrowed StETH, the attacker redeemed his deposits without repaying the borrowed tokens, hence depleting all the crypto from the pool. As indicated by Etherscan, the attacker sent the stolen crypto to wallet address 0x3F…dA21.
After the attack, UniLend Finance has confirmed the incident on their official X page. “We’ve identified a security compromise affecting ~$200k (~4%) of the $4.7M TVL on UniLend Platform,” the post read.
The firm has also advised users to refrain depositing funds into UniLend V2. Additionally, UniLend has confirmed that the funds on UniLend V1 are completely safe. “UniLend V1 funds are completely SAFU,” confirmed UniLend. SAFU stands for “Secure Asset Fund for Users” which are funds set aside for users in case of an extreme attack.
UniLend Offers 20% Bounty to the Attacker
UniLend Finance is committed to resolve the issue offering a beacon of hope for the affected DeFi users. Aiming to recover the funds, the firm is offering 20% to the attacker if he’s willing to return the stolen funds.
“In the spirit of fostering resolution, we are offering a 20% bounty to the responsible party for the safe return of funds.” UniLend stated. “If you’re willing to cooperate, please return the funds and reach out to us securely. Let’s work towards an amicable solution,” the firm further added.
While it is quite unlikely for crypto attackers to return stolen funds, UniLend Finance and the affected users remain hopeful that the attacker will take the 20% white hat route offered to him.
A Rise in Crypto Attacks
There has been a recent surge in crypto attacks recently. As covered earlier, 2024 topped the years in which crypto attacks have been at their highest, with $2.2 Billion stolen from cryptocurrency platforms in the year. This marked a 21.07% surge from the preceding year, 2023.
Additionally, the Chainalysis report indicated that the DeFi sector is a primary target for crypto attackers. DeFi accounted for the largest share of all lost funds in Quarter 1 of 2024. However, the attacks shifted to centralized services in Q2 and Q3 of the same year.
With the recent attack on UniLend Finance, just 12 days into the year, 2025 could be set for a similar trend experienced in 2024. As we progress further into 2025, crypto platforms are urged to ensure adherence with security best practices. This will help to reduce exposure to devastating attacks and significant loss of funds.
