Another Major Hack Hits UwU Lend During $20M Payout Process

YEREVAN (CoinChapter.com) — The UwU Lend protocol has been attacked again, suffering a second hack while in the middle of a $20 million reimbursement process. This new attack resulted in the theft of $3.5 million from various asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen assets were converted to ETH and are now at the attacker’s address: 0x841dDf093f5188989fA1524e7B893de64B421f47.

Onchain data analytic platform Cyvers alerted UwU Lend about the exploit, indicating that the same attackers responsible for the previous $20 million breach were behind this latest attack.

June 10th Attack on UwU Lend: Price Manipulation Leads to $20M Theft

The first exploit, which occurred on June 10, was caused by price manipulation. The attacker used a flash loan to swap USDe for other tokens, causing a decrease in the price of $USDe and $sUSDe. They then deposited some of these tokens into UwU Lend and lent more $sUSDe than expected, driving the $USDe price higher.

Additionally, the attacker deposited sUSDe to UwU Lend and borrowed more CRV than anticipated. This allowed them to steal nearly $20 million in tokens, which were then converted to ETH.

Ongoing Reimbursement Efforts Interrupted

UwU Lend was actively reimbursing victims of the first hack when the second attack occurred. The protocol announced on X that they had repaid all bad debt for the $wETH market, which amounted to 481.36 $wETH, equivalent to $1,734,042. In total, they had reimbursed $9,715,288 before the second exploit disrupted their efforts.

UwU Lend identified and resolved the vulnerability that caused the first exploit. They stated that it was unique to the USDe market oracle. They assured users that all other markets had been re-reviewed by industry professionals and auditors, with no further issues found.

This incident highlights the need for continuous monitoring and advanced security protocols in the DeFi space.