Halborn Logo

// Blog

Explained: Hacks

Explained: The Unizen Hack (March 2024)


Rob Behnke

March 14th, 2024

In March 2024, the Unizen decentralized exchange (DEX) was the victim of a series of attacks. In total, an estimated $2.1 million was stolen by exploiting an insecure external call vulnerability.

Inside the Attack

The Unizen hack occurred shortly after the project’s DEX aggregation contract performed an upgrade. The goal of the upgrade was to reduce the gas fees and included an increase in the maximum spending limits for certain types of tokens on the exchange.

The root cause of the incident was an unsafe external call within the contract. By exploiting this vulnerability, the attackers were able to access and drain value from the accounts of users who had created approvals for the contract. In total, the attacker was able to steal about $2.1 million in USDT, which they then converted to DAI. Sample exploit code for reproducing the vulnerability and exploit in Foundry is available on GitHub.

After the attack was detected, users were encouraged to revoke any existing approvals that they had in place for the contract. However, bots spammed Twitter / X with posts about Unizen, making it more difficult to find information and causing users to believe that the project was down for an upgrade.

Unizen attempted to convince the attacker to return the stolen funds in exchange for a 20% bounty. In the meantime, Unizen worked to reimburse users who had lost under $750,000 using funds provided by the organization’s CEO, Sean Noga. The project also took additional steps to improve the future security of the project by implementing improved security measures to prevent similar attacks from occurring in the future.

Lessons Learned from the Attack

The Unizen hack was performed shortly after an upgrade to the project’s DEX aggregation smart contract. One of the changes made during the upgrade was changing the maximum spending limits in the protocol, and it introduced an unsafe external call vulnerability that attackers could exploit.

The fact that these attacks immediately followed a smart contract upgrade demonstrates the importance of implementing code security best practices when deploying or changing code on the blockchain. If the code updates are not properly tested for potential vulnerabilities, they could introduce new vulnerabilities into an existing project. This is especially dangerous if approvals are in place that allow immediate thefts from the project’s users.

Vulnerabilities such as unsafe external calls can be identified and remediated as part of a smart contract audit. To learn more about securing your DeFi projects against potential exploits, get in touch with Halborn.