TLDR
- UwU Lend, a DeFi lending protocol, suffered another hack, losing approximately $3.5 million to $3.7 million, just days after a previous $20 million exploit.
- The ongoing exploit targeted multiple asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT, with the stolen funds being converted to Ethereum.
- The attack occurred during the reimbursement process for the previous hack victims, with UwU Lend having already repaid over $9.7 million in bad debt.
- The initial exploit was caused by price manipulation, while the latest exploit is a consequence of the attacker holding sUSDE tokens gained from the first attack.
- UwU Lend’s total losses from both hacks amount to around $23 million, causing a significant decline in the value of its governance token, UWU.
UwU Lend, a decentralized finance (DeFi) lending and liquidity protocol, has fallen victim to yet another significant security breach, just days after suffering a $20 million exploit.
The latest attack, which occurred on June 13, 2024, has resulted in an additional loss of approximately $3.5 million to $3.7 million, bringing the total losses to around $23 million within a single week.
The ongoing exploit targeted multiple asset pools within the UwU Lend protocol, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT.
The stolen funds, amounting to roughly $3.5 million, have been converted to Ethereum (ETH) and are currently held in the attacker’s wallet address, “0x841dDf093f5188989fA1524e7B893de64B421f47.”
????ALERT????@UwU_Lend has suffered another security breach by the same attacker!
Total loss: $3.7M
Affected pools: uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, uUSDT
All stolen assets have been converted to $ETH and are located at the attacker's address: https://t.co/9TvwLh18P1To learn… https://t.co/AjcMS1Cdyl
— ???? Cyvers Alerts ???? (@CyversAlerts) June 13, 2024
The attack took place during the reimbursement process for victims of the previous $20 million exploit. UwU Lend had already repaid over $9.7 million in bad debt, including 481.36 wETH worth more than $1.7 million for the Wrapped Ether (wETH) market alone.
The initial exploit, which occurred on June 10, was caused by price manipulation. The attacker used a flash loan to swap USDe for other tokens, leading to a lower price of Ethena USDe (USDE) and Ethena Staked USDe (SUSDE).
By depositing the tokens to UwU Lend and lending more SUSDE than expected, the attacker drove the USDE price higher, ultimately stealing nearly $20 million in tokens.
According to CertiK, a crypto security firm, the latest exploit is not due to the same vulnerability but rather a consequence of the first attack. The attacker gained a significant number of sUSDE tokens from the initial exploit and, despite the protocol being paused, UwU Lend still considered sUSDE as legitimate collateral.
This oversight allowed the attackers to exploit the remaining sUSDE and drain the remaining pools.
The series of hacks has had a significant impact on UwU Lend’s governance token, UWU, which has shed 14.5% of its value over the past seven days and 81% in the past year, now holding a market cap of just $26 million.