Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 182Smart Contract Bug

Unizen External Call Drain

$2.1M drained from Unizen's DEX aggregator via an unsafe external-call vulnerability in a recent upgrade that hit users with token approvals.

Date
Victim
Unizen
Chain(s)
Ethereum
Status
Partially Recovered

On March 9, 2024, the cross-chain DEX aggregator Unizen was exploited for approximately $2.1 million — drained from users who had granted token approvals to a freshly-upgraded contract. The bug: the upgrade introduced an unsafe external-call vulnerability in the swap path. (Rekt's leaderboard lists this incident at $21M; the verified loss across independent analyses is $2.1M.)

What happened

Unizen's DEX-aggregation contract was upgraded shortly before the exploit. The upgrade introduced a new path that made arbitrary external calls during swap execution — without rigorous validation of the call target or calldata.

For users who had granted Unizen's contract token approvals — typical for any DEX-aggregator UX — the bug created a familiar pattern: any caller could construct a "swap" whose underlying external call performed a transferFrom against the victim's approved balance to the attacker's address.

PeckShield flagged the issue publicly within hours of the first malicious transactions; on-chain investigators surfaced the pattern, and Unizen halted the affected contract.

Aftermath

  • Unizen founder Sean Noga personally loaned funds to the company to fund immediate user refunds.
  • Users who had lost under $750,000 were refunded; larger losses were addressed through a separate negotiation track.
  • The contract was patched and re-deployed with proper validation of external calls.
  • The attacker laundered through Tornado Cash; no public recovery.

Why it matters

Unizen is one of three structurally similar March 2024 approval-bug incidents — alongside WOOFi and Dolomite — that highlighted the recurring DEX-aggregator pattern: users grant approvals to a contract; the contract has any path that performs an unvalidated external call; any caller can drain the approved balances.

The structural lesson is the same one repeated at Furucombo, Transit Swap, and LI.FI: contract upgrades that touch the swap execution path must be re-audited end-to-end, not treated as routine patches. The attack surface of an approval-holding aggregator is the union of every code path that can be reached after approve() has been granted, across the contract's entire upgrade history.

The Unizen team's response — founder-loaned immediate refunds — was unusually fast and full for the loss scale. It set a credible bar for how a small-protocol team can credibly handle a mid-sized exploit without destroying user trust.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-unizen-hack-march-2024
  2. [02]beincrypto.comhttps://beincrypto.com/unizen-defi-hack-million/
  3. [03]web3isgoinggreat.comhttps://www.web3isgoinggreat.com/?id=unizen-hack

Related filings