UniLend Redeem Underlying Missing Health Factor Check Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

UniLend Logo/Homepage

UniLend is a decentralized finance (DeFi) platform enabling permissionless lending and borrowing for any ERC20 token, along with features like isolated dual-asset pools, on-chain governance, and the Lamaa AI platform for building blockchain-integrated AI agents. However, a recent exploit occurred due to a flaw in the health factor check within the "redeemUnderlying" function, where the health factor was checked before collateral transfer, allowing hackers to manipulate balances and withdraw assets without adequate collateral. This led to a $198k loss after a hacker exploited the miscalculation by depositing USDC, borrowing stETH, and withdrawing the funds. The vulnerability stemmed from inflated token balances due to unremoved LP positions and improper health factor calculations. Although UniLend acknowledged the attack and offered a 20% bounty, the outcome and whether affected assets were made whole remain unclear.[1][2][3][4][5][6][7][8]

About UniLend Finance

UniLend is a decentralized finance (DeFi) platform aiming to democratize blockchain, AI, and DeFi by offering permissionless lending and borrowing functionalities for any ERC20 token. It features isolated dual-asset pools, flexible lending options, and on-chain governance for token holders to manage key parameters. UniLend also introduces Lamaa AI, a platform that enables users to build and launch modular AI agents with blockchain capabilities. Additionally, Numa Network offers a solution to simplify transaction execution and cross-chain intents, addressing issues like gas fees and scheduling. UniLend focuses on empowering its community through governance, allowing users to propose and vote on protocol changes.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The Unilend smart contract was exploited due to a flawed health factor check in the "redeemUnderlying" function, which allowed the withdrawal of 60.672854887643676587 stETH.

Key Event Timeline - UniLend Redeem Underlying Missing Health Factor Check Exploit
Date Event Description
January 12th, 2025 4:19:59 AM MST Ethereum Exploit Transaction The exploit transaction on Ethereum which is able to remove 60.672854887643676587 stETH.
January 12th, 2025 8:54:00 PM MST SlowMist Analysis Posted SlowMist posts
January 13th, 2025 7:04:00 AM MST UniLend Tweets Notice UniLend makes a post publicly acknowledging the vulnerability and effects. According to their post, the impact represents only $200k out of the $4.7m in TVL (total value locked) for their protocol. They are "working on a resolution for affected users".
January 13th, 2025 11:16:00 AM MST Tikkala Research Analysis Posted Tikkala Research shares an initial analysis of the damage, and subsequently the cause, of the significant loss in the UniLend platform.

Technical Details

The Unilend exploit occurred due to a flawed health factor check in the "redeemUnderlying" function, where the health factor was calculated before collateral transfer, allowing a hacker to manipulate the system and withdraw assets without proper collateral.

According to Nick L Franklin, the Unilend Pool exploit that led to a $200k loss was caused by a flaw in the health factor check in the "redeemUnderlying" function of the smart contract. The issue stemmed from the sequence of operations: LP tokens were first burned, and then the health factor was checked. However, the health factor was evaluated before the collateral tokens were transferred to the user, leading to an inaccurate balance calculation.

When the health factor was checked, the system relied on the current token balance in the pool contract, which included untransferred tokens. As these tokens were not yet transferred when calculating the user’s token balance, it resulted in an inflated balance. This miscalculation was particularly problematic in pools with large liquidity, as the “userBalanceOfToken” function returned a higher "lendBalance" with a small lending share, making it appear that the user had more collateral than they actually did.

A hacker exploited this vulnerability by depositing a massive amount of USDC (60 million) into the lending pool, borrowing stETH, and then withdrawing all the USDC. This allowed the hacker to effectively gain 60 stETH for free, bypassing the intended collateral requirements. The health factor check should have occurred after the token transfer, and to prevent such issues, it was recommended that the "getShareByValue" function use divUp instead of div to avoid rounding errors and ensure more accurate calculations.

In summary, the exploit took advantage of a timing flaw in the health factor check and inaccurate token balance calculations during withdrawal. These issues allowed the hacker to manipulate the system, withdrawing assets without providing adequate collateral.

Tikkala Research: "The root cause is the shares inflation, After burn the LPposition, @UniLend_Finance forgot to remove the underlying tokens which should reduce the token0.balanceOf(address(this)). When it start to count the HealthFactor of the position, it still uses the old balance and allows users to get more collateral (_lendBalance0) than they deposited."

Total Amount Lost

Amount of loss: $ 197,600 (60.672854887643676587 stETH)

The total amount lost has been estimated at $198,000 USD.

Immediate Reactions

The exploit was picked up by multiple blockchain analysts including SlowMist, Tikkala Research, and Nick L Franklin.

"On January 13, 2025, the SlowMist MistEye security monitoring system detected an attack on UniLend, resulting in a loss of ~$197K."

Ultimate Outcome

While UniLend publicly acknowledged the attack and claimed to be working with affected users, it was unclear what outcome occurred, if any.

UniLend Finance offered a 20% bounty. It does not appear that the attacker took them up on the offer.

Total Amount Recovered

It is unclear if affected user assets were recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist - "We detected that @UniLend_Finance was exploited with a loss of $197.6k. The root cause was that the attacker exploited a vulnerability in the redeem process, manipulating the share price, which led to incorrect calculation of the attac...ter/X (Accessed Mar 5, 2025)
  2. Exploit Transaction Of 60.672854887643676587 stETH - Etherscan (Accessed Mar 6, 2025)
  3. Nick L Franklin - "Unilend Pool lost $200k. Root cause is wrong health factor check. In "redeemUnderlying" function, LP tokens are burnt, and then health factor is checked. After that collateral tokens are transferred to user. When checking health...ter/X (Accessed Mar 6, 2025)
  4. Tikkala Research - "One of the smart contract on Ethereum was hacked. @UniLend_Finance lost about ~61 stETH which is about ~200k." - Twitter/X (Accessed Mar 6, 2025)
  5. Tikkala Research - "The root cause is the shares inflation, After burn the LPposition, @UniLend_Finance forgot to remove the underlying tokens which should reduce the token0.balanceOf(address(this)). When it start to count the HealthFactor of the ...ter/X (Accessed Mar 6, 2025)
  6. UniLend Finance - "Important Update on UniLend V2 We’ve identified a security compromise affecting ~$200k (~4%) of the $4.7M TVL on UniLend Platform. UniLend V1 funds are completely SAFU Refrain from depositing into V2 until further notice We’...ter/X (Accessed Mar 6, 2025)
  7. Ninja Tools - "Big Transfer" - Twitter/X (Accessed Mar 6, 2025)
  8. Unilend Finance (Accessed Mar 6, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=UniLend_Redeem_Underlying_Missing_Health_Factor_Check_Exploit&oldid=6589"