Uranium Finance

2021-03-01

Uranium Finance Twitter account created, approximately one month before the major exploit. Protocol rapidly accumulates over $50 million in TVL.

2021-04-08

First exploit: Jonathan Spalletta allegedly drains approximately $1.4 million by abusing the AmountWithBonus variable in Uranium's rewards contract. Attacker later returns most funds but retains ~$386,000 as a purported bug bounty, which prosecutors would later call a sham.

2021-04-28

Second exploit: A mathematical error in the UraniumPair v2 swap function (1,000 vs. 10,000 constant mismatch) is exploited across 26 liquidity pools, draining approximately $53.3 million (~$57.2 million at peak valuation) about two hours before a scheduled v2.1 patch migration.

2021-04-28

Post-exploit: Uranium Finance removes its GitHub repository and takes down its website. Stolen funds begin moving through Tornado Cash and AnySwap bridge.

2021-04-29

Rekt News publishes analysis of the exploit, flagging suspicious timing and the GitHub deletion, and questioning whether the bug may have been intentionally introduced.

2021-05-01

Immunefi publishes a proof-of-concept analysis of the exploit mechanics, confirming the 100x constant mismatch vulnerability.

2023-01-01

ZachXBT publishes tracing of stolen Uranium Finance funds, identifying suspected conversion through rare Magic: The Gathering card purchases as a laundering vector.

2025-02-24

U.S. authorities (SDNY and HSI San Diego) seize approximately $31 million in cryptocurrency linked to the 2021 Uranium Finance exploits. This marks the first public linkage of an individual to the case.

2026-03-31

Jonathan Spalletta, 36, of Rockville, Maryland (aliases: 'Cthulhon', 'Jspalletta'), is indicted by federal prosecutors in Manhattan and surrenders to authorities. He faces one count of computer fraud (max 10 years) and one count of money laundering (max 20 years).