The decentralized lending protocol UniLend Finance fell victim to a sophisticated flash loan exploit on January 12, 2025, losing approximately $200,000 in stETH. The attack exposed a critical vulnerability in the protocol’s redeemUnderlying function, specifically in how it validated health factor calculations during collateral redemption.
The Exploit Mechanics
The attacker initiated the operation by taking a flash loan of 60 million USDC and 5 wstETH from Morpho Blue, a leading lending protocol. The borrowed wstETH was immediately converted to 6 stETH through a token exchange. With these flash loan funds in hand, the attacker called the lend() function twice on UniLend V2’s core contract, depositing the 60 million USDC and 6 stETH as collateral.
This is where the critical flaw came into play. The attacker then called borrow() with the recipient set to their own contract address, borrowing 60.67 stETH. The vulnerability was in how the checkHealthFactorLtv0 and checkHealthFactorLtv1 functions assessed collateral adequacy. These functions relied on userBalanceOftoken0 and userBalanceOftoken1 to verify the health factor, but the _lendBalance0 value was inflated due to an incorrect calculation that failed to account for actual token transfers.
The inflated share calculations made the system believe the attacker had significantly more collateral than they actually deposited. By exploiting this discrepancy, the attacker passed all health checks, withdrew the borrowed 60.67 stETH worth approximately $200,000, repaid the flash loan, and pocketed the difference.
Affected Systems
The exploit targeted UniLend V2’s core lending and borrowing smart contracts deployed on the Ethereum mainnet. The vulnerable contract at address 0x7f2E contained the flawed redeemUnderlying function. The attacker deployed a custom contract at 0x3F81 to orchestrate the multi-step exploit, using an externally owned account at 0x55F5 to fund and initiate the attack.
At the time of the exploit, Ethereum was trading at approximately $3,266 and Bitcoin hovered around $94,488. The broader crypto market had been experiencing a correction, with most major tokens down between 3% and 12% over the previous week. This market environment may have contributed to lower monitoring activity on mid-tier DeFi protocols.
The Mitigation Strategy
Flash loan exploits remain one of the most common attack vectors in decentralized finance, and this incident follows a familiar pattern. The core issue was that UniLend’s health factor validation relied on stale or inflated balance calculations rather than real-time token transfers. Effective mitigation requires implementing checks that account for actual token movements during the same transaction, not just cached balance states.
Protocols can defend against such attacks by incorporating reentrancy guards, using up-to-date oracle prices for collateral valuation, and implementing flash loan-resistant design patterns that verify collateral adequacy after all internal operations complete. Regular security audits by multiple independent firms remain essential, particularly for protocols handling significant value.
Lessons Learned
The UniLend exploit underscores several critical lessons for the DeFi ecosystem. First, the complexity of lending protocol logic creates numerous attack surfaces that even experienced development teams can overlook. The redeemUnderlying function appeared to work correctly under normal conditions, but the health factor validation failed when subjected to adversarial inputs designed to exploit balance calculation discrepancies.
Second, flash loans continue to democratize exploitation by allowing attackers to execute sophisticated multi-step attacks without requiring significant upfront capital. The attacker needed only gas fees to attempt this exploit, as the 60 million USDC flash loan was borrowed and repaid within a single transaction.
Third, the incident highlights the importance of real-time monitoring systems that can detect unusual transaction patterns, such as massive flash loan borrows followed by rapid collateral manipulation, before the full exploit completes.
User Action Required
Users who had funds deposited in UniLend V2 lending pools should immediately check their positions and assess whether any of their collateral was affected by the exploit. If the protocol has not yet published a post-mortem, users should monitor UniLend’s official communication channels for updates on remediation efforts and potential reimbursement plans. As a general practice, DeFi users should diversify their holdings across multiple protocols and avoid concentrating large positions in any single lending platform, regardless of its track record.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with any DeFi protocol.
another health factor miscalculation. when will lending protocols stop rolling their own liquidation logic and use audited libraries
60M USDC flash loan for a 200k payout. the ROI on these attacks is insane
flash loan attacks have basically become a bug bounty program where the payout is guaranteed and the auditor is the attacker
classic health factor miscalculation. same class of bug that hit bzx in 2020, just a different wrapper
^ bzx was oracle manipulation tho, this is a straight logic bug in redeemUnderlying. different beast
same class as bzx but the redeemUnderlying path is new. each time a different function gets hit and auditors play whack a mole
Morpho Blue becoming the go-to flash loan venue for attackers is not the PR they want lol
60M USDC flash loan to extract 200k. the leverage ratio on these attacks is absurd