TLDR
- UwU Lend, a decentralized finance (DeFi) lending protocol, suffered two major hacks within three days, losing around $23.7 million in total.
- The first hack on June 10th involved price manipulation of the protocol’s native token, resulting in a loss of nearly $20 million.
- The second hack on June 13th targeted various liquidity pools and stole approximately $3.7 million worth of assets, converted to Ethereum.
- Both hacks were carried out by the same attacker, who exploited vulnerabilities in UwU Lend’s smart contracts and price oracles.
- The stolen funds from both hacks are currently held in the attacker’s wallet, and efforts to trace and recover the assets are ongoing.
UwU Lend, a prominent decentralized finance (DeFi) lending protocol, has been the target of two major hacks within a span of three days, resulting in a combined loss of approximately $23.7 million in digital assets.
The first attack, which occurred on June 10th, involved a sophisticated price manipulation scheme that drained nearly $20 million from the protocol.
According to reports, the initial hack was carried out by exploiting a vulnerability in UwU Lend’s price oracle mechanism. The attacker utilized a flash loan to swap the protocol’s native token, Ethena USDe (USDE), for other tokens, artificially lowering the price of USDE and Ethena Staked USDe (SUSDE).
🚨ALERT🚨@UwU_Lend has suffered another security breach by the same attacker!
Total loss: $3.7M
Affected pools: uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, uUSDT
All stolen assets have been converted to $ETH and are located at the attacker's address: https://t.co/9TvwLh18P1To learn… https://t.co/AjcMS1Cdyl
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) June 13, 2024
This price manipulation allowed the attacker to deposit the tokens into UwU Lend and borrow more SUSDE than intended, subsequently driving the USDE price higher.
Following a similar pattern, the attacker deposited SUSDE into UwU Lend and borrowed a substantial amount of Curve DAO (CRV) tokens, exceeding the expected amount.
Ultimately, the exploiter managed to steal nearly $20 million worth of tokens through this price manipulation tactic, which were then converted into Ethereum (ETH).
In response to the initial attack, UwU Lend took immediate action by pausing the protocol and adjusting borrowing and deposit rates to zero to prevent further losses.
The team also identified and addressed the vulnerability in the USDE market oracle, which was deemed responsible for the exploit.
However, just three days later, on June 13th, UwU Lend fell victim to a second attack, this time targeting multiple liquidity pools.
The attacker, believed to be the same individual or group responsible for the previous hack, managed to steal approximately $3.7 million worth of assets from pools such as uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT.
According to the security firm CertiK, the second attack was a consequence of the initial exploit. The attacker had gained a significant amount of sUSDE tokens from the first hack, which were still recognized as legitimate collateral by the UwU Lend protocol. This oversight allowed the attacker to exploit the remaining sUSDE tokens and drain the remaining liquidity pools.
The stolen assets from the second attack, including various stablecoins and other tokens, were promptly converted into Ethereum and transferred to the attacker’s wallet address: 0x841dDf093f5188989fA1524e7B893de64B421f47.
As of now, the attacker still holds the stolen funds from both hacks, totaling approximately $23.7 million. UwU Lend and various security firms are actively investigating the incidents and exploring potential avenues for tracing and recovering the assets.