UniLend’s Sequencing Bug, Orange Finance’s Key Leak, and Labubu’s Transfer Logic Fail
UniLend lost $200K after failing to update token balances before collateral checks, enabling multiple stETH withdrawals. Orange Finance suffered an $830K loss due to private key compromise and poorly configured multi-sigs. Labubu leaked $11.9K when attackers looped self-sending transfers to inflate balances via flawed state updates.
In Brief
UniLend Finance lost $200K due to a sequencing flaw in the redeemUnderlying function.
Orange Finance suffered a $830K private key compromise.
Labubu Token transfer function flaw resulted in a $11.9K loss
Hacks Analysis
UniLend Finance | Amount Lost: $200K
On January 13th, the UniLend Finance exploit on the Ethereum mainnet resulted in a $200K loss due to a sequencing flaw in the redeemUnderlying function. The function checks a user’s health factor using the pool’s token balances before updating them to reflect burned LP tokens or withdrawn collateral. This outdated pool balance check allowed the attacker to manipulate the function into believing sufficient collateral remained in the pool. By depositing 60M USDC to inflate their lending shares, the attacker withdrew stETH collateral multiple times, bypassing proper validation.
On January 8th, the Orange Finance exploit on the Arbitrum chain resulted in a $830K loss due to a private key compromise and misconfigured multi-sig vaults. Approximately $783K of the loss came from drained deposits, while $47K was due to excessive token approvals. The stolen assets included funds from Uniswap, PancakeSwap, and Sushi liquidity pools. The Orange Finance team paused deposits and withdrawals, secured 50% of the remaining TVL on Stryke, and initiated recovery efforts with Seal 911.
Press enter or click to view image in full size
Exploited Contract (on Arbitrum): 0x38E4157345Bd2c8Cf7Dbe4B0C75302c2038AB7Ec
On December 10th, the Labubu Token on the BSC resulted in a $11.9K loss. The root cause of the exploit was that the private _transfer() function allowed the attacker to use the same address as both the sender and recipient. While the sender’s balance was reduced during the transfer, the recipient’s balance was incorrectly updated by adding the transferred amount to the initial balance, effectively overriding the reduction. This allowed the attacker to repeatedly execute transfers, artificially inflating their token balance with each iteration.
Press enter or click to view image in full size
Exploited Contract (on BNB): 0x2ff960f1d9af1a6368c2866f79080c1e0b253997
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
