Unilend Pool lost $200k. Root cause is wrong health factor check.
In “redeemUnderlying” function, LP tokens are burnt, and then health factor is checked. After that collateral tokens are transferred to user.
When checking health factor, user token balance is calculated using current balance of token in pool contract, and as tokens are not transferred when calculating user token balance, it returns higher value than expected. This means when withdrawing tokens, “userBalnceOftoken” function can return high “lendBalance” with only small lend share remaining if pool had very large liquidity.
Hacker deposited a huge amount of USDC(60M) to lending pool and borrowed some stEth, and then withdraw all USDC, gained 60 stEth for free.
Health factor should be checked after token transfer.
Also, “getShareByValue” should use “divUp” instead of “div”.
Leave a Reply