defirisk.co
rubric v1.7.0

Unizen: Unvalidated external call in upgraded DEX Aggregation contract — approval drain

Unizen lost $2.1M when a gas optimization upgrade to their DEX aggregation contract introduced an unvalidated external call vulnerability, enabling multiple attackers to drain token approvals from users' wallets within hours.

Occurred 2024-03-08 Loss $2M Status closed

Summary #

Unizen suffered a DEX Aggregator on 2024-03-08, resulting in a loss of approximately $2M.

What happened #

Unizen lost $2.1M when a gas optimization upgrade to their DEX aggregation contract introduced an unvalidated external call vulnerability, enabling multiple attackers to drain token approvals from users' wallets within hours.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the upgrade that introduced the vulnerability was not audited] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the upgrade that introduced the vulnerability was not audited]
  • RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years (2022 audit; exploit March 2024)]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code (the upgrade)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — contract upgrade was the proximate trigger (team-controlled but observable)]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — gas optimization upgrade deployed immediately before exploit]