Decentralized finance (DeFi) trading platform Unizen lost around $2.1 million after what crypto security firms called an exploit of an "external call vulnerability" in the platform.
Blockchain security and data analytics firm PeckShield reported about the anomaly on X (formerly Twitter) Saturday. "Hi @unizen_io you may want to [take] a look. It looks like an approve issue with >2m loss already," the company said. It also advised the platform to revoke the approved transactions immediately.
Hi @unizen_io you may want to a look. It looks like an approve issue with >2m loss already.
— PeckShield Inc. (@peckshield) March 8, 2024
If you have approved the following trade aggregator, please revoke ASAP:
eth: 0xd3f64baa732061f8b3626ee44bab354f854877ac pic.twitter.com/Rq1AMxrrgs
Another blockchain security company, SlowMist, also picked up the breach, saying Unizen was exploited "due to an open external call vulnerability." It also revealed that the attacker "has swapped the stolen USDT (Tether) for DAI (Dai)," but so far has not moved the funds.
🚨SlowMist Security Alert🚨
— SlowMist (@SlowMist_Team) March 9, 2024
Due to an open external call vulnerability, @unizen_io has been exploited, losing around $2.1M. Please revoke approval for 0xd3f64baa732061f8b3626ee44bab354f854877ac ASAP!
Currently, the attacker has swapped the stolen USDT for DAI, but has not moved… pic.twitter.com/T0QARp0QkD
Unizen has since acknowledged the hack, saying the team was "working tirelessly to secure our platform and implement measures to prevent such incidents in the future." For users affected by the system breach, the cryptocurrency trading firm has "established a dedicated form" to address concerns.
To Our Valued Community
— unizen (@unizen_io) March 9, 2024
In light of the recent security incident, we're fully aware of the distress and inconvenience many of you are facing. This is a moment that tests our resilience, but more importantly, it's a call to action for us to stand together and navigate this…
It also warned users on X not to communicate with any other handles except for its official Unizen account on the social media platform.
By early Sunday, Unizen said it had started cooperating with law enforcement and forensic experts to track down the identity of the exploiter. It also sent messages to the hacker in hopes of getting back the pilfered funds.
Community Update:
— unizen (@unizen_io) March 10, 2024
We are working with law enforcement and forensic experts to determine the identity of the person(s) responsible for the security breach and have provided the following on - chain messages.
We continue to work swiftly to resolve this and will have further…
"Dear Security Professional, we urge you to restore the misappropriated funds," Unizen wrote in the messages. "We've sent 100 ZCX from our foundation wallet to the aforementioned Ethereum wallet to prove we are the owners of this address, and we will publish a Tweet on our official Twitter within the hour," it added.
Unizen said collaboration with law enforcement was ongoing, and it "respectfully" requests the prompt return of the funds if the exploiter wants to avoid further legal action. It also offered a 20% bounty "as a token of appreciation for whitehat efforts."
Unizen CTO Martin Granstrom also released a statement about the exploit, saying the company gathered "a ton of evidence" to draw up a post-mortem report, which should be ready sometime Monday. After the report is published, the platform's engineering team will focus on getting back to business as usual, Granstrom said.
Quick update.
— Martin Granström (@MartinGranstrom) March 10, 2024
We've collected a ton of evidence and have enough to proceed with the post-mortem. We're working with third party security firms and law enforcement to track down the identity of the hacker.
On Monday we will have a draft of the post-mortem ready for the…
"It has been decided that we will invest a lot more in ensuring the security with every upgrade introduced, no matter the risk assessments and internal reviews. We owe it to our users," he said.
The Unizen exploit is just one of several crypto exploits in February, including WOOFi, which lost some $8.75 million just last week.
