UwU Lend Defi Protocol Hit by $19.5M Exploit

UwU Lend DeFi Hack Incident: A Detailed Breakdown

A significant hack has struck UwU Lend, a DeFi lending platform, leading to financial losses estimated at around $19.5 million. Web3 security firm Cyvers identified the breach. 

The hacker executed three transactions within six minutes, draining approximately $20 million. Funds for the attack were sourced from Tornado Cash two days before the incident. Flash loans were used to manipulate asset prices on DeFi apps, particularly targeting five stablecoin pairs to affect the sUSDe price feed or 'oracle'. 

The stolen funds, including USDC, FRAX, crvUSD, and blUSD, were converted to ETH and consolidated into a new address holding over 4000 ETH, worth around $15 million, via Uniswap. Among those impacted was Michael Egorov, founder of Curve Finance, who saw a 5% drop in CRV's price post-hack before a recovery. 

This breach highlights ongoing vulnerabilities within the DeFi sector. Up to May 2024, the industry has suffered $473.22 million in losses from 108 incidents, with $52.37 million lost in 21 incidents in May alone. 

UwU Lend, created by Michael Patryn (aka 0xSifu) of the infamous QuadrigaCX collapse, has paused its protocol and announced on X an investigation into the exploit, with plans to refund affected users. Michael Patryn’s history with DeFi projects under the 'Frog Nation' umbrella, including Wonderland, Magic Internet Money, and Abracadabra (hacked for $6.5 million earlier this year), coupled with his past at QuadrigaCX, casts a long shadow over the current incident. 

To mitigate further losses, the team swiftly paused the entire protocol, setting borrowing and deposit rates to 0%. This was an emergency measure to stop the bleeding of assets.

With the protocol stabilized temporarily, the team initiated an in-depth investigation into the breach. Michael Patryn (aka 0xSifu), the founder of UwU Lend, offered the anonymous hacker responsible a 20% bounty on the stolen assets if the hacker agreed to return the pilfered funds and drop any potential criminal charges. So far, the hacker has not responded to this olive branch offer.

The stolen crypto assets, including various stablecoins and other tokens, are currently parked in two separate addresses controlled by the hacker. Tracking the movement of these funds has become a priority for the team.

However, the situation took an even more complicated turn when an unknown individual entered the fray. This person sent on-chain messages directly to the hacker, providing instructions on how to move the ill-gotten funds without getting caught by authorities. Their motivations and identity remain a mystery, adding another layer of intrigue to an already tangled web.

The UwU Lend attack is part of a broader trend of increasing cyber threats targeting the DeFi sector, including a $19.5 million hack on Lykke exchange and a $5 million breach of Ethereum L2 Loopring's smart wallet 2FA system. 

On June 10, the UwU Lend protocol was under attack again. The exploit, carried out by the same attackers, already stole $3.5 million in various assets, all converted to Ether. 

The first exploit involved price manipulation, where the attacker used flash loans to manipulate the price of USDe and SUSDE, then deposited these tokens to UwU Lend and borrowed more than expected, ultimately stealing $20 million. 

The second exploit, while not the same vulnerability, is a consequence of the first, as the attacker gained sUSDE tokens from the initial exploit and used them to drain remaining pools. UwU Lend was in the process of reimbursing victims from the first hack, having repaid $9.7 million before the second exploit occurred. 

UwU Lend is offering a $5 million bounty in Ether to an who can identify and locate the hacker who stole a total of $24 million from the protocol in two attacks. The bounty is being offered to incentivize the capture of the hacker and will be paid out before any funds are recovered or charges are laid. The hacker has yet to respond to UwU’s requests to return the stolen funds.