On January 13, 2025, decentralized finance protocol UniLend Finance fell victim to a sophisticated flash loan attack on the Ethereum network, resulting in losses of approximately $197,000. The exploit, detected by the SlowMist MistEye security monitoring system, exposed a critical flaw in how the protocol calculated health factors during asset redemption — one that allowed an attacker to borrow significant assets without maintaining adequate collateral.
The Exploit Mechanics
The core vulnerability resided in UniLend’s redeemUnderlying function, specifically in the checkHealthFactorLtv1 logic. When a user redeemed assets, the contract calculated the borrower’s health factor using the old USDC balance in the liquidity pool rather than the current balance after the attacker’s flash loan deposit. This meant the health factor appeared artificially inflated, tricking the system into believing the user’s lending position remained safe when it was, in fact, severely undercollateralized.
The attacker executed a multi-step exploit that began with pledging 200 USDC to the UniLendV2Pool, obtaining 150,237,398 USDC lendShares. They then used a flash loan to borrow 60 million USDC and 5 wstETH, converting the wstETH to approximately 6 stETH. By depositing these borrowed assets back into the protocol, the attacker obtained corresponding lending shares that dramatically inflated their apparent collateral position.
Affected Systems
The vulnerable contract, deployed at 0xc86d2555f8c360d3c5e8e4364f42c1f2d169330e on Ethereum, contained a logic flaw in the userBalanceOftoken0 function. This function returned stale pool balances when computing the health factor, rather than reflecting the actual state after the flash loan injection. The attacker’s address, 0x55f5f8058816d5376df310770ca3a2e294089c33, executed the primary attack transaction 0x44037ffc0993327176975e08789b71c1058318f48ddeff25890a577d6555b6ba, draining approximately $197,000 worth of assets from the protocol.
At the time of the exploit, Bitcoin traded at approximately $94,516 and Ethereum at $3,135, underscoring that even as the broader crypto market held strong valuations, DeFi protocols remained vulnerable to fundamental smart contract flaws.
The Mitigation Strategy
Following the attack, DeFi security experts recommended several immediate mitigations for UniLend and similar lending protocols. First, health factor calculations must always reference real-time pool balances rather than cached or stale values. Protocols should implement snapshot-based balance checks that capture the exact state at the moment of each transaction. Second, flash loan resistance mechanisms — such as delayed redemption periods or reentrancy guards that prevent borrowing and redeeming within the same transaction block — provide critical protection against this class of attack.
Third, comprehensive smart contract audits from multiple independent security firms remain essential. The UniLend vulnerability was not a novel attack pattern; stale balance exploits have been documented in DeFi since 2020. The fact that such a flaw persisted in a live protocol highlights the ongoing need for rigorous auditing practices.
Lessons Learned
The UniLend exploit reinforces several critical lessons for the DeFi ecosystem. Flash loans remain one of the most potent attack vectors available to malicious actors, enabling capital-efficient exploitation of even minor logical flaws in smart contracts. Protocols that calculate financial metrics using potentially stale state variables are inherently vulnerable, regardless of how sophisticated their overall architecture might be.
The relatively modest $197,000 loss — compared to the multimillion-dollar hacks that dominated 2024 — does not diminish the severity of this class of vulnerability. The same fundamental flaw, if present in a larger protocol with deeper liquidity pools, could result in losses orders of magnitude greater.
User Action Required
Users who had funds deposited in UniLend Finance’s affected pools should immediately check their positions and assess any losses. Even if the exploited contract has been patched, residual risks may persist in forked or similar deployments. Always verify that any DeFi protocol you use has undergone recent, comprehensive security audits and maintains active bug bounty programs. For those seeking safer alternatives, stick with protocols that have been battle-tested across multiple market cycles and that implement flash loan resistance as a core design principle.
This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
stale balance bugs are sneaky. the health factor looked fine on paper because it was checking old pool data. classic time-of-check vs time-of-use
exactly this. TOCTOU bugs are the gift that keeps on giving in DeFi. every audit misses them until the exploit happens
$197K is honestly a small extract by 2025 standards. the real question is how many other lending protocols have the same stale state issue and just havent been probed yet
^ exactly. flash loans let anyone stress test these contracts with zero risk. if slowmist caught this one, how many did they miss
slowmist is good but they catch maybe 1 in 5 bugs. the real question is who is auditing the auditors because the current model is clearly broken
probably dozens. most lending protocols reuse similar health factor logic. if UniLend had this bug, safe bet others do too
pledged 200 USDC and walked away with $197K. the math on that leverage ratio is insane. health factor checks need to query current balances, not cached ones