DeFi lending protocol UwU Lend has suffered two attacks in the past three days. The second exploit occurred on Thursday during the protocol’s reimbursement process from the first hack. The ongoing saga has taken around $23 million from the protocol.
DeFi Protocol Hit With $20 Million Exploit
On June 10, DeFi project UwU Lend was hit by a sophisticated attack that took $19.3 million. The attack seemingly involved the use of flash loans to exploit the protocol. The project quickly addressed the situation by pausing the protocol and assured users that most assets were safe.
Additionally, the team offered a $4 million white hat bounty for the return of the funds. The list of stolen assets included Wrapped Ethereum (wETH), Wrapped Bitcoin (wBTC), Curve DAO (CRV), Tether (USDT), Staked USDe (sUSDE), and others.
Blockchain security firm Beosin revealed that the attacker manipulated the price of USDe (USDE) by swapping it for other tokens through flash loans. Seemingly, this move lowered USDe and sUSDE’s price.
Following the price manipulation, the hacker deposited part of the tokens to UwU Lend and “lent more $sUSDe than expected,” driving USDe’s price higher. Similarly, the attacker deposited the sUSDE to the DeFi protocol and borrowed CRV.
On Wednesday, UwU Lend informed users that its team had identified the vulnerability. Per the post, it was a vulnerability unique to the sUSDE market oracle and had been resolved at the time of the report.
As a result, the protocol was unpaused, and the markets were slowly relaunched to return to their normal operations. The DeFi project also announced it would repay all its bad debt and that users’ funds had not been lost during the exploit, claiming that their funds “are safu at UwU Lend.”
Do You Get DéFì Vu?
What seemed to be the end of the story turned out to be the first installment of a saga. On Thursday, reports of a second attack on UwU Lend appeared as the protocol carried out its reimbursement process.
According to the reports, the same attacker drained another $3.7 million from the DeFi protocol before converting the funds to ETH again. The affected pools included uDAI, uWETH, uLUSD, uFRAX, UCRVUSD, and uUSDT.
The crypto community expressed their concern about the second attack, with many questioning if their funds were indeed safe. Users started to joke that funds were not “safu” but were “with Sifu” instead.
UwU Lend was founded by Michael Patryn, also known as Sifu. Patryn was the co-founder of the now-collapsed QuadrigaCX. As reported by Bitcoinist, Canadian authorities were pursuing an unexplained wealth order (UWO) against Sifu for his involvement in the exchange’s criminal activities.
The DeFi project has paused the protocol for the second time this week, and the situation is being investigated. However, online reports claim that the second exploit was caused by a vulnerability similar to the first attack.
MetaTrust Labs explained the hacker seemingly used 60 million uSUSDE obtained from Monday’s hack “as collateral to drain the pool.”
The news caused users to wonder whether the UwU Lend team was unaware of the tokens in the attacker’s wallet. Some also questioned why they didn’t stop supporting the sUSDE collateral.
At the time of writing, an official explanation for the second exploit has not been published.