Hackers exploited the price oracle of the lending protocol UwU Lend in two separate attacks, stealing tokens worth approximately $24 million.
On June 10, the decentralized lending protocol UwU Lend suffered a hack, resulting in a loss of nearly $19.3 million. On-chain data shows that the hacker's wallet successfully stole a range of tokens, including Wrapped Ether (WETH), Wrapped Bitcoin (WBTC), and stablecoins, most of which were then traded on Uniswap.
UwU Lend is a project forked from the open-source code of the Ethereum-based lending protocol AAVE v2. It allows users to lend and borrow digital assets, participate in investment strategies, and manage assets in a non-custodial manner. According to the documentation on its website, the platform prioritizes security, using forked and audited code from AAVE v2 to minimize smart contract risks. However, this recent breach has exposed vulnerabilities in the protocol's security measures.
Web3 security firm PeckShield stated that the root cause of the attack was an issue with the price oracle, specifically that the pricing of the sUSDe asset came from a median of multiple sources. Five of these sources—FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe—were manipulated during the attack.
In the first breach, the attacker used flash loans to manipulate the price of Ethena USDe (USDe) by exchanging it for other tokens, causing the price of USDe and Ethena Staked USDe (SUSDe) to drop. The attacker then deposited these tokens into UwU Lend, allowing them to borrow more SUSDe than usual, thereby inflating the price of USDe. The attacker also deposited SUSDe into UwU Lend and borrowed more Curve DAO (CRV) than typically possible. Through these strategies, nearly $20 million worth of tokens were stolen and subsequently converted into Ether (ETH).
In response to the initial default event, UwU Lend began compensating affected users. They announced on X that they had cleared all bad debt in the Wrapped Ether (wETH) market, totaling 481.36 wETH (over $1.7 million), and repaid more than $9.7 million in total.
Cryptocurrency security firm CertiK revealed that the ongoing attacks were not due to the same vulnerability but were a result of the initial attack.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
South Korea: Upbit Investigated for Over 500,000 KYC Violations
MacBook Users with Intel Chips Urged to Update for Enhanced Security
Solana-Based Trading Terminal DEXX Hacked, Over $21M in User Losses
South Korea to Enforce 20% Crypto Tax in 2025 with Increased Exemption Limit
0.00