TLDR
- UwU Lend, a decentralized finance (DeFi) protocol, was hacked for nearly $20 million on Monday, June 10.
- The attack was first discovered by on-chain security firm Cyvers, which alerted UwU Lend about the ongoing exploit.
- The attacker used a flash loan to manipulate the price feed and exploit a vulnerability in the protocol’s price oracle system.
- UwU Lend co-founder Michael Patryn, also known as 0xSifu, offered the hacker a 20% bounty (around $4 million) to return the remaining stolen funds.
- The incident highlights the vulnerabilities within DeFi platforms and the need for stronger security measures to prevent similar attacks in the future.
The decentralized finance (DeFi) protocol UwU Lend has become the latest victim of a major cryptocurrency hack, with attackers siphoning nearly $20 million worth of digital assets on Monday, June 10.
Today's @UwU_Lend hack leads to $19.4m loss.
The root cause is a price oracle issue. In particular, the sUSDe asset is priced as median from multiple sources. Five of them, i.e., FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe, were manipulated during the hack.
The stolen… https://t.co/4ec92zxoql pic.twitter.com/xuGGegfDpV
— PeckShield Inc. (@peckshield) June 10, 2024
The ongoing exploit was first discovered by on-chain security firm Cyvers, which promptly alerted UwU Lend about the attack.
In a post on social media platform X (formerly Twitter), Cyvers wrote, “Hey @UwU_Lend, you are being attacked! So far address got around $14M…” As the attack unfolded, the total amount stolen quickly surpassed the $20 million mark, making it one of the most significant crypto hacks of the year.
????ALERT????Hey @UwU_Lend, you are being attacked!
So far address got around $14M
More update will follow!
Please contact us to learn how to secure your digital assets!#CyversAlert pic.twitter.com/IND77hbTbH
— ???? Cyvers Alerts ???? (@CyversAlerts) June 10, 2024
UwU Lend, a protocol that allows users to deposit and borrow cryptocurrency, was founded in September 2022 by Michael Patryn, also known as 0xSifu.
Patryn is a controversial figure in the crypto space, best known for co-founding the now-defunct QuadrigaCX exchange.
Despite its relatively short history, UwU Lend had amassed an impressive $91 million in Total Value Locked (TVL) before the exploit.
Investigations by blockchain security firms Cyvers and Beosin have revealed that the attacker employed a sophisticated strategy to carry out the theft.
By utilizing a flash loan, the hacker was able to manipulate the price feed of the protocol’s stablecoin, USDe, and its synthetic version, sUSDe.
This manipulation allowed the attacker to exploit a critical vulnerability in UwU Lend’s price oracle system, enabling them to drain the protocol’s funds.
The root cause of the exploit, according to Matthew Jiang, director of security services at Blocksec, was an improperly designed blockchain Oracle.
Oracles are vital components of DeFi platforms, responsible for providing accurate price data to the protocol. When these systems are not adequately secured or designed, they become prime targets for attackers looking to exploit weaknesses and steal funds.
In the wake of the attack, UwU Lend co-founder Michael Patryn took an unconventional approach to recover the stolen funds. Patryn, who has a checkered past in the crypto industry, sent a blockchain message to the hacker, offering a 20% bounty (approximately $4 million) in exchange for the return of the remaining 80% of the stolen assets.
The message also included a threat to pursue the hacker “from all angles” if they did not comply with the offer by June 12 at 17:00 UTC.
While such bounty offers are not uncommon in the crypto world, they are rarely accepted by hackers. However, there have been instances where attackers have returned a portion of the stolen funds in response to similar proposals.