DeFi lending protocol UwU Lend has suffered two attacks in the last three days. The second exploit occurred on Thursday during the protocol’s redemption process from the first hack. The ongoing saga has taken approximately $23 million out of the protocol.
DeFi protocol hit by $20 million exploit
On June 10, the DeFi project UwU Lend was hit by a sophisticated attack that cost $19.3 million. The attack apparently involved the use of flash loans to exploit the protocol. The project quickly resolved the situation by suspending the protocol and assured users that most assets were safe.
UwU Lend acknowleges $20 million exploit. Source: UwU Lend on X
Additionally, the team offered a $4 million bonus to the white hat for the return of the funds. The list of stolen assets included Wrapped Ethereum (wETH), Wrapped Bitcoin (wBTC), Curve DAO (CRV), Tether (USDT), Staked USDe (sUSDE) and others.
Beosin, blockchain security company revealed that the attacker manipulated the price of USDe (USDE) by swapping it for other tokens via flash loans. Apparently, this decision caused the price of USDe and sUSDE to fall.
Following the price manipulation, the hacker deposited some of the tokens on UwU Lend and “loaned more $sUSDe than intended,” driving up the price of USDe. Likewise, the attacker deposited sUSDE on the DeFi protocol and borrowed CRV.
On Wednesday, UwU Lend informed users that its team had identified the vulnerability. According to the post, this was a unique vulnerability to the sUSDE market oracle and had been resolved at the time of writing.
As a result, the protocol was not suspended and the markets were slowly restarted to resume normal operations. The DeFi project also announced that it would repay all its bad debts and that user funds were not lost in the exploit, saying their funds “are safe at UwU Lend.”
Do you get DéFi Vu?
What seemed like the end of the story turned out to be the first part of a saga. On Thursday, reports of a second attack on UwU Lend appeared as the protocol was carrying out its refund process.
According to reports, the same attacker embezzled an additional $3.7 million from the DeFi protocol before converting the funds back to ETH. The affected pools included uDAI, uWETH, uLUSD, uFRAX, UCRVUSD and uUSDT.
The crypto community has expressed concern over the second attack, with many wondering if their funds are indeed safe. Users started joking that the funds were not “safu” but rather “with Sifu”.
Crypto community shares memes about the attack. Source: ZachXBT on X
UwU Lend was founded by Michael Patryn, also known as Sifu. Patryn was the co-founder of the now-collapsed QuadrigaCX. As reported per Bitcoinist, Canadian authorities were pursuing an Unexplained Wealth Order (UWO) against Sifu for his involvement in the exchange’s criminal activities.
The DeFi project suspended the protocol for the second time this week and the situation is under investigation. However, online reports claim that the second exploit was due to a similar vulnerability to the first attack.
MetaTrust Laboratories explain the hacker apparently used 60 million uSUSDE obtained in Monday’s hack “as collateral to empty the pool.”
The news made users wonder if the UwU Lend team was unaware of the tokens in the attacker’s wallet. Some also wondered why they did not stop supporting the sUSDE guarantee.
As of this writing, no official explanation for the second exploit has been released.
ETH is trading at $3,447 on the three-day chart. Source: ETHUSDT on TradingView
Featured image from Unsplash.com, chart from TradingView.com
