Decentralized finance (DeFi) trading platform Unizen lost around $2.1 million after what crypto security firms called an exploit of an "external call vulnerability" in the platform.
Blockchain security and data analytics firm PeckShield reported about the anomaly on X (formerly Twitter) Saturday. "Hi @unizen_io you may want to [take] a look. It looks like an approve issue with >2m loss already," the company said. It also advised the platform to revoke the approved transactions immediately.
Another blockchain security company, SlowMist, also picked up the breach, saying Unizen was exploited "due to an open external call vulnerability." It also revealed that the attacker "has swapped the stolen USDT (Tether) for DAI (Dai)," but so far has not moved the funds.
Unizen has since acknowledged the hack, saying the team was "working tirelessly to secure our platform and implement measures to prevent such incidents in the future." For users affected by the system breach, the cryptocurrency trading firm has "established a dedicated form" to address concerns.
It also warned users on X not to communicate with any other handles except for its official Unizen account on the social media platform.
By early Sunday, Unizen said it had started cooperating with law enforcement and forensic experts to track down the identity of the exploiter. It also sent messages to the hacker in hopes of getting back the pilfered funds.
"Dear Security Professional, we urge you to restore the misappropriated funds," Unizen wrote in the messages. "We've sent 100 ZCX from our foundation wallet to the aforementioned Ethereum wallet to prove we are the owners of this address, and we will publish a Tweet on our official Twitter within the hour," it added.
Unizen said collaboration with law enforcement was ongoing, and it "respectfully" requests the prompt return of the funds if the exploiter wants to avoid further legal action. It also offered a 20% bounty "as a token of appreciation for whitehat efforts."
Unizen CTO Martin Granstrom also released a statement about the exploit, saying the company gathered "a ton of evidence" to draw up a post-mortem report, which should be ready sometime Monday. After the report is published, the platform's engineering team will focus on getting back to business as usual, Granstrom said.
"It has been decided that we will invest a lot more in ensuring the security with every upgrade introduced, no matter the risk assessments and internal reviews. We owe it to our users," he said.
The Unizen exploit is just one of several crypto exploits in February, including WOOFi, which lost some $8.75 million just last week.