DeFi lending protocol UwU Lend has been attacked twice in the past three days. The second exploit occurred on Thursday during the protocol refund process from the first hack. The ongoing saga took about $23 million from the deal.
DeFi Protocol Hit With $20 Million Exploit
On June 10, the DeFi project UwU Lend was hit by a sophisticated attack that took $19.3 million. The attack appears to involve the use of flash loans to fund the protocol. The project quickly addressed this situation by setting up a protocol and assured users that most assets are safe.
UwU Lend acknowleges $20 million exploit. Source: UwU Lend on X
Additionally, the team offered a white hat of $4 million to recoup the money. The list of stolen assets includes Stacked Ethereum (wETH), Stacked Bitcoin (wBTC), Curve DAO (CRV), Tether (USDT), Staked USDe (sUSDE), and others.
Blockchain security company Beosin revealed that an attacker manipulated the price of USDE (USDE) by exchanging it with other tokens by using loans. It seems that this move has reduced the value of USDE and sUSDE.
After manipulating the price, the hacker put a portion of the tokens into UwU Lend and “borrowed $sUSDe more than expected,” driving the USDE value higher. Similarly, the attacker put sUSDE into the DeFi protocol and borrowed CRV.
On Wednesday, UwU Lend informed users that its team had identified the vulnerability. In the post, there was a different vulnerability in the sUSDE market oracle and it was resolved at the time of the report.
As a result, the protocol was not suspended, and the markets were gradually restarted to return to their normal activities. The DeFi project also announced that it will pay off all of its bad debt and that users’ funds were not lost during the hack, saying that their funds are “still in UwU Lend.”
Do You Get DéFì Vu?
What appeared to be the end of the story turned out to be the beginning of a saga. On Thursday, reports of a second attack on UwU Lend emerged as the regulator went through its recovery process.
According to reports, the same attacker withdrew another $3.7 million from the DeFi protocol before converting the funds to ETH again. Affected pools include uDAI, uWETH, LUSD, uFRAX, UCRVUSD, and uUSDT.
The crypto community has expressed its concern about the second attack, with many questioning whether their funds are truly safe. Users started joking that the funds are not “safu” but have “Sifu” instead.
Crypto community shares memes about the attack. Source: ZachXBT on X
UwU Lend was founded by Michael Patryn, known as Sifu. Patryn was the founder of the now defunct QuadrigaCX. As reported by Bitcoinist, Canadian authorities were pursuing an undisclosed wealth order (UWO) against Sifu for his involvement in the exchange’s criminal activities.
The DeFi project has temporarily suspended the protocol for the second time this week, and the situation is being investigated. However, reports online say that the second exploit is caused by the same vulnerability as the first attack.
MetaTrust Labs described the hacker who appears to have used the 60 million SUSDE recovered in Monday’s hack as “a collateral drain.”
The news made users wonder if the UwU Lend team was aware of the tokens in the attacker’s wallet. Some also questioned why they did not stop subsidizing the sUSDE bond.
At the time of writing, the official description of the second exploit has not been published.
ETH is trading at $3,447 on the three-day chart. Source: ETHUSDT on TradingView
Featured image from Unsplash.com, Chart from TradingView.com
Source link
