- Blockbasis
- Posts
- Unizen: Navigating a $2.1M Security Breach
Unizen: Navigating a $2.1M Security Breach
Unizen: Navigating the Aftermath of a $2.1M Security Breach – Understanding the Impact of External Call Vulnerabilities on Upgradeable Contracts. Delve into the Intricacies of Crypto Security Postures, the Role of Thorough Testing and Auditing, and Unizen's Journey Towards Redemption in the Wake of Unprecedented Challenges
Blockbasis
March 12, 2024
TL;DR
Unizen's turbulent tale unfolds as attackers exploit vulnerabilities, leaving users reeling from a $2.1M hit. With external calls turning into costly traps, the protocol grapples with security woes. Yet, amidst the chaos, questions linger: Can Unizen weather the storm and emerge stronger? Dive into the saga of Unizen's battle for redemption.
Make Sure This Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Unizen's Weekend Marred by Security Breach
On March 8th, a staggering $2.1 million was pilfered in a series of assaults targeting the Ethereum-based decentralized exchange (DEX) Unizen, hot on the heels of a contract overhaul within their DEX aggregation system.
The alarm bells were rung by cyber sentinels during the aforementioned attack on March 8th. However, Unizen only confirmed the breach a full seven hours later.
To Our Valued Community
In light of the recent security incident, we're fully aware of the distress and inconvenience many of you are facing. This is a moment that tests our resilience, but more importantly, it's a call to action for us to stand together and navigate this… x.com/i/web/status/1…
— unizen (@unizen_io)
3:26 AM • Mar 9, 2024
These attacks unfolded over the span of a few intense hours, leaving certain users in the lurch, mistakenly presuming the DEX was offline due to routine maintenance, with the grim reality only dawning after the fact.
In response, RevokeCash swiftly advised users to conduct a thorough assessment to ascertain if their digital wallets were compromised, advocating the revocation of approvals through their specialized toolkit.
The utilization of upgradeable contracts, while offering flexibility, often raises eyebrows in security circles as they can be exploited, as exemplified by previous breaches in protocols such as Socket, Safemoon of last year, and Level Finance, among others.
The question looms: Did another protocol hastily deploy an upgrade sans proper scrutiny, inadvertently laying the groundwork for exploitation?
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
After a DEX Aggregation contract upgrade on Unizen, multiple attackers exploited an unverified external call vulnerability. While the upgrade aimed to slash ETH gas fees, it inadvertently paved the way for a different kind of reduction.
Certain users, who had previously interacted with and greenlit a higher spending threshold for specific tokens, fell victim to a malicious actor who absconded with their funds. The result? A staggering theft exceeding $2.1 million.
Attacker 1: 0xb660cae1a59336676ea1887b15eb3c0badb90d78
Attack Contract 1: 0xb660cae1a59336676ea1887b15eb3c0badb90d78
Attack Transaction: 0xc12a4155c2c90707138e4aef8883c8f724371145823e2f661f19b93e5b3a9d6e
Attacker 2: 0xc596523b77ceb9567279B572c653ECF4BA763CB7
Attack Contract 2: 0x90a7482dD7fA28865f440EC0c3B783775AC01266
A total of 14 attack transactions were carried out.
Attack Address 3: 0xd440b92739f86b00d1135b5eea871751433da2d7
Attacked Contract 3: 0x2f744f784000de0b8f1a7da3f0021ad56c09ce1a
Attack Transaction: 0x30fef86a72ea7e1109ffeae572439995c78561ffeb968dcbd61c609efc60fdd9
Attacker 4: 0x4e2ce48f0b5d97bfd4be3f6c7b6479db1aa5b365
A total of 13 attack transactions were carried out.
The flow of these funds can be traced through here.
Ultimately, the stolen funds were transferred to this address.
Aftermath: Compounding the situation, Unizen's feed became inundated with phishing spam posts, overshadowing news of the breach. Unizen promptly tackled the spam onslaught.
Response Timeline: Unizen addressed the community seven hours post-attack, extending support to address concerns and commence community healing.
CTO Statement: The protocol's Chief Technology Officer elaborated on the incident, underlining that the gas optimization upgrade was a minor bug with major consequences.
Bounty Offer: Two days following the breach, Unizen dispatched several on-chain messages, reaching out to a "Security Professional," offering a 20% bounty for the safe return of the funds.
On-chain Messages:
Just hours later, Unizen made a pivotal announcement, pledging to reimburse losses below $750,000 with either USDC or USDT. CEO and Founder, Sean Noga, stepped up, loaning personal funds to bolster the protocol's efforts.
In a proactive move, Unizen released a video tutorial alongside the announcement, guiding users on how to revoke spend limit approvals within the Unizen platform. This begs the question: why wasn't this guidance available on the day of the attack?
Later that day, the Chief Technology Officer (CTO) declared that they had amassed sufficient evidence to proceed with a post-mortem analysis. Additionally, an upgrade had been swiftly patched into the gas optimization contract. The CTO affirmed a commitment to ramping up security measures with each subsequent upgrade, irrespective of risk assessments and internal reviews.
However, a lingering threat loomed as Blockfence intercepted activity on March 11th, suggesting one of the attackers may be plotting their next on-chain maneuver. Alarmingly, they funneled 128 ETH of stolen assets into a liquidity pool on Uniswap, paired with the enigmatic "Yoink" token. Notably, a message left behind hinted at diverting profits from purportedly "highly profitable trading strategies" into Yoink. Could these actually be hacking strategies in disguise?
Despite Unizen's previous audits by Halborn and Verichain in 2022, no documentation exists for an audit on the recent upgrade. This raises a pertinent question: could this attack have been preempted with a thorough audit of the recent upgrade?
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
Yet another external call vulnerability exploited, another attack on an upgradeable contract. The cycle seems unending. A glaringly expensive oversight that could have been averted through meticulous testing and auditing.
It's not hard to imagine malicious actors salivating at the prospect of a checklist teeming with impending contract upgrades, poised to swoop in and abscond with the spoils.
While the team's initial response may have been sluggish in keeping the community informed, their subsequent actions were commendable. A few days later, they rose to the occasion, addressing the situation with commendable transparency and efficacy.
Already, users are flooding Unizen's Telegram and X platforms with expressions of gratitude, lauding the initiation of the reimbursement process. It seems the protocol is following through thus far.
Yet, the question lingers: if the breach had inflicted a more substantial blow, would Unizen still honor its commitment to reimburse affected users?
As they vow to fortify security with every upgrade, it's evident that blackhats will be watching closely, waiting for the opportune moment to strike.
Will Unizen uphold its reputation and continue to deliver on its promises? Only time will tell.