WikiBit 2024-06-14 18:18Hackers exploited the price oracle of the lending protocol UwU Lend in two separate attacks, stealing tokens worth approximately $24 million.
On June 10, the decentralized lending protocol UwU Lend suffered a hack, resulting in a loss of nearly $19.3 million. On-chain data shows that the hacker's wallet successfully stole a range of tokens, including Wrapped Ether (WETH), Wrapped Bitcoin (WBTC), and stablecoins, most of which were then traded on Uniswap.
UwU Lend is a project forked from the open-source code of the Ethereum-based lending protocol AAVE v2. It allows users to lend and borrow digital assets, participate in investment strategies, and manage assets in a non-custodial manner. According to the documentation on its website, the platform prioritizes security, using forked and audited code from AAVE v2 to minimize smart contract risks. However, this recent breach has exposed vulnerabilities in the protocol's security measures.
Web3 security firm PeckShield stated that the root cause of the attack was an issue with the price oracle, specifically that the pricing of the sUSDe asset came from a median of multiple sources. Five of these sources—FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe—were manipulated during the attack.
In the first breach, the attacker used flash loans to manipulate the price of Ethena USDe (USDe) by exchanging it for other tokens, causing the price of USDe and Ethena Staked USDe (SUSDe) to drop. The attacker then deposited these tokens into UwU Lend, allowing them to borrow more SUSDe than usual, thereby inflating the price of USDe. The attacker also deposited SUSDe into UwU Lend and borrowed more Curve DAO (CRV) than typically possible. Through these strategies, nearly $20 million worth of tokens were stolen and subsequently converted into Ether (ETH).
In response to the initial default event, UwU Lend began compensating affected users. They announced on X that they had cleared all bad debt in the Wrapped Ether (wETH) market, totaling 481.36 wETH (over $1.7 million), and repaid more than $9.7 million in total.
Cryptocurrency security firm CertiK revealed that the ongoing attacks were not due to the same vulnerability but were a result of the initial attack.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Bitcoin holds $61K after US jobs data report, AI sector weakness: Did BTC bottom?
WikiBit 2026-07-03 09:00Securitize gains on NYSE debut with tokenized stocks live on Solana, Avalanche
WikiBit 2026-07-03 12:01Strategy will be ‘less important’ in Bitcoin after STRC incident: Bitwise
WikiBit 2026-07-03 12:02Teen ‘Scattered Spider’ suspect extradited to US over $8M crypto ransom
WikiBit 2026-07-03 15:00Symbiotic officially pivots to collateral markets with Core V2 launch
WikiBit 2026-07-01 20:00XRP утримується понад $1 після ліквідації позицій із кредитним плечем, оскільки активність мережі покращується
WikiBit 2026-07-01 22:27Kalshi hit with 14-day restraining order in Michigan, blocking sports prediction markets in state
WikiBit 2026-06-30 17:23Ripple, Coinbase among top donors in crypto's $189 million election spending: report
WikiBit 2026-07-01 18:49Bitso unveils the 'Hybrid Finance' era as stablecoins reshape global payments
WikiBit 2026-07-02 04:00Europe's MiCA rollout sparks debate over who wins under new crypto rules
WikiBit 2026-07-01 22:230.00