shield Access Control

ULME Access Control, October 2022 — attack surface walkthrough

Q: When did the ULME hack happen?

The ULME exploit was recorded on October 25, 2022 — 1,267 days ago.

Q: What type of exploit hit ULME?

The ULME incident is classified as a Access Control. A privileged function lacks a proper authorisation check, letting an unauthorised caller execute it.

Q: How does ULME compare to the largest Access Control attack?

The largest access control incident in our archive is Corkprotocol (2025) at $12M. The ULME loss was not publicly disclosed.

On October 2022, ULME suffered a access control — the first of 77 documented access control incidents in our archive where the loss figure was not publicly disclosed but the exploit pattern is documented below.

Attack Mechanics: How the ULME Access Control Played Out

Exploit Class Applied to ULME

The ULME incident on October 25, 2022 is classified as a Access Control. A privileged function lacks a proper authorisation check, letting an unauthorised caller execute it. In the full archive, ULME is 1 of 77 documented access control incidents.

ULME in Context

The ULME incident joins a class whose largest loss to date is Corkprotocol (2025) at $12M.

Prior Access Control Before ULME

The nearest access control incident before ULME was HPAY, 7 days earlier on October 18, 2022. The same exploit class surfaced again within the access control attack surface.

Impact & Recovery for ULME

ULME Loss Figure

The loss figure for ULME is not publicly disclosed. The primary source reports the exploit in non-USD terms, so no USD estimate is published here. For reference, the average loss across 77 access control incidents in our archive is $636K.

Timeline Since the ULME Incident

The ULME exploit occurred 3.5 years ago (1,267 days). The contract, its fork-block, and the attack transaction remain on-chain and forensically reproducible.

Primary Reference for ULME

Public post-mortem / on-chain analysis for the ULME incident: view source.

FAQ

How much did ULME lose?

The ULME loss figure is not publicly disclosed. The primary source reports the exploit in non-USD token terms, so no USD estimate is published here.

When did the ULME hack happen?

The ULME exploit was recorded on October 25, 2022 — 1,267 days ago.

What type of exploit hit ULME?

The ULME incident is classified as a Access Control. A privileged function lacks a proper authorisation check, letting an unauthorised caller execute it.

How common is the Access Control pattern seen at ULME?

Our archive contains 77 documented access control incidents. The ULME incident is one of them.

How does ULME compare to the largest Access Control attack?

The largest access control incident in our archive is Corkprotocol (2025) at $12M. The ULME loss was not publicly disclosed.

How does the study's new design differ from conventional designs?

The study's new design, utilizing a heatmap matrix, resulted in greater returns across multiple outcomes compared to the conventional design's limited outcomes.

What method is used to analyze sustainability reports?

Qualitative content analysis.

Attack Mechanics: How the ULME Access Control Played Out

Exploit Class Applied to ULME

ULME in Context

Prior Access Control Before ULME

Impact & Recovery for ULME

ULME Loss Figure

Timeline Since the ULME Incident

Primary Reference for ULME

FAQ

How much did ULME lose?

When did the ULME hack happen?

What type of exploit hit ULME?

How common is the Access Control pattern seen at ULME?

How does ULME compare to the largest Access Control attack?

How does the study's new design differ from conventional designs?

What method is used to analyze sustainability reports?

Related Articles

How DFS lost $1.5K to a flash loan attack in December 2022

The December 2022 reentrancy against JAY: what went wrong

How Rubic lost $1.5M to an arbitrary call in December 2022

$170K Reentrancy at Defrost, December 2022 breakdown

Forensic report: Nmbplatform price manipulation cost $76K (December 2022)

Forensic report: FPR access control cost $29K (December 2022)