UniLend Finance Faces $197K Loss After Share Price Manipulation

Highlights:

• UniLend Finance was exploited on Ethereum, losing $197,000 due to an error in the calculation of share price.
• 60% of all crypto exploits involved DeFi platforms, as major losses continue to result from hacking incidents.
• Over $3 billion was lost to crypto hacks and scams in 2024.

UniLend Finance, a decentralized finance protocol, was exploited on Ethereum. In the attack, approximately $197,000 was lost. The incident happened on January 12, according to tenArmorAlert, a web3 security startup. An attacker exploited a problem with how the protocol calculates the share price. This allowed them to manipulate the system and inflate the value of their collateral.

🚨TenArmor Security Alert🚨

Our system has detected a suspicious attack involving #UniLend @UniLend_Finance on #ETH, resulting in an approximately loss of $196.2K.

The UniLend pool appears to incorrectly calculate a user’s collateral token balance.

Exploiting this flaw, the… pic.twitter.com/MsBvOviFeT

— TenArmorAlert (@TenArmorAlert) January 12, 2025

The attacker used USDC and Lido Staked Ether (stETH) as collateral. They borrowed the entire pool’s stETH and redeemed their initial deposits. The attacker failed to repay the borrowed tokens and drained the liquidity pool.

The exploit transaction was executed at 11:19:59 AM UTC. TenArmorAlert initially estimated the losses at $196,200. The web3 security firm SlowMist later updated the figure to $197,600 in its report. UniLend Finance has not commented on the exploit.

🚨SlowMist Security Alert🚨

We detected that @UniLend_Finance was exploited with a loss of $197.6k. The root cause was that the attacker exploited a vulnerability in the redeem process, manipulating the share price, which led to incorrect calculation of the attacker's collateral… pic.twitter.com/uAKhV5vTcK

— SlowMist (@SlowMist_Team) January 13, 2025

Attacker Manipulates Share Price to Drain Liquidity Pool

The exploit targeted a critical flaw in the redemption process of the platform. The attacker was able to increase their collateral value by manipulating the share price. This facilitated a larger amount of lending than they should have been allowed to.

These attacks highlight the weaknesses in decentralized finance platforms. At the same time, many protocols are still working to improve their security.

Decentralized finance has remained the biggest target of cybercriminals. According to PeckShield, the DeFi sector accounted for up to 60% of the total crypto exploits in 2024.

#PeckShieldAlert 2024 has witnessed a significant resurgence in crypto-related hacking activities. The total value of loss in 2024 has exceeded $3.01B, reflecting a ~15% increase over the $2.61B stolen in 2023.
This total includes $2.15B stolen from crypto hacks and $834.5M… pic.twitter.com/l58x17TE5m

— PeckShieldAlert (@PeckShieldAlert) January 9, 2025

Radiant Capital hack was one of the largest exploits of the year. Lazarus Group hacked into the system by posing as a trusted contractor and stole $50 million by planting malware and taking control of the system.

In November 2024, an attacker exploited the liquidity pool of the Thala protocol, resulting in $25.5 million in loss. The focus of the attacks was on the farming contracts. The attacker returned the stolen funds after agreeing to a $300,000 bounty.

Crypto Hacks and Scams Result in Over $3 Billion in Losses

Hackers and scammers caused the cryptocurrency industry to lose over $3 billion last year. PeckShield claims that $833.5 million was lost to scams, while $2.15 billion was lost to hacks. Total losses in 2024 are 15% higher than in 2023. However, the number of incidents and assets stolen is lower than in 2022.

Access control vulnerabilities caused 78% of those losses. These vulnerabilities also impacted decentralized finance and gaming platforms. Additionally, phishing scams continued to be a major problem. According to CertiK, $1 billion was stolen in 296 phishing incidents. The most common targets were usually the less experienced users.

Some recovery efforts succeeded despite the challenges. Authorities reclaimed approximately $488.5 million using blockchain tracing and enforcement actions. However, these efforts recovered only a fraction of the total losses.

Regulatory authorities have also increased their focus on fraudulent activities. France’s financial authority has launched investigations into crypto scams. Security experts emphasize the need for stronger user protections in the growing industry. The FBI warned of increased attacks by Lazarus Group, a cyber group linked to North Korea.