UwU Lend Faces $23M Double Exploit, Involving ETH, wETH, and CRV

• UwU Lend, a DeFi lending protocol, has experienced two attacks within a three-day span.
• The second exploit occurred while the project was addressing the aftermath of the first hack.
• Between the two incidents, approximately $23 million has been siphoned from the protocol.

UwU Lend experiences significant security breaches, losing $23 million in two separate attacks within three days, raising concerns about the safety of DeFi protocols.

UwU Lend Suffers First Major Exploit

On June 10, UwU Lend was targeted in a complex attack that resulted in a loss of $19.3 million. The exploit utilized flash loans to take advantage of the protocol’s vulnerabilities. In an immediate response, the team paused operations and announced that critical assets remained secure.

The protocol’s team confirmed the breach and initiated steps to mitigate damage, including offering a $4 million bounty for the return of the stolen funds. The compromised assets included a range of tokens such as Wrapped Ethereum (wETH), Wrapped Bitcoin (wBTC), Curve DAO (CRV), and more.

Technical Analysis of the Exploit

According to blockchain security experts at Beosin, the attacker manipulated the price of USDe (USDE) through a series of swaps using flash loans. This action significantly devalued USDe and its staked counterpart, sUSDE. By leveraging these manipulated prices, the attacker was able to deposit funds into UwU Lend and borrow more assets than the manipulated token price justified, further amplifying the exploit.

In response, UwU Lend identified the root cause of the vulnerability, particularly related to the sUSDE market oracle. The team patched the vulnerability and resumed operations, assuring users that their funds were secure and highlighting their commitment to restoring normalcy and repaying any incurred debts.

A Second Blow Amid Recovery Efforts

Despite efforts to secure the protocol, UwU Lend faced yet another attack during their reimbursement process for the initial breach. This second exploit involved the theft of an additional $3.7 million, with the attacker converting the stolen funds to ETH. Affected pools included uDAI, uWETH, uLUSD, uFRAX, UCRVUSD, and uUSDT.

The recurrence of the attack sparked significant concern within the crypto community. Questions about the protocol’s security measures and the actual safety of user funds led to widespread criticism and uncertainty. Memes and satirical comments flooded social platforms, reflecting frustrations and mistrust.

The Role of Michael Patryn in UwU Lend

Adding to the controversy, UwU Lend was co-founded by Michael Patryn, also known as Sifu. Patryn has a tainted history, being a co-founder of the collapsed QuadrigaCX exchange and is currently under scrutiny by Canadian authorities. His involvement has cast a shadow over UwU Lend, further complicating efforts to restore user confidence.

Investigative Findings and Protocol Security

Initial investigations into the second attack suggest a similar vulnerability was exploited. MetaTrust Labs reported that the attacker used 60 million uSUSDE obtained from the first hack as collateral to drain another pool. This revelation has caused users to question why the team did not take preemptive measures to address the exploited tokens actively circulating in the attacker’s wallet.

At present, the protocol remains paused, with an official statement on the second breach still pending. Users are urged to stay vigilant and await further updates from the UwU Lend team regarding the security measures and recovery plans moving forward.

Conclusion

The twin security breaches at UwU Lend highlight serious vulnerabilities in DeFi protocols and stress the importance of robust security measures. While the protocol’s team is working to rectify the situation, the events underscore the need for continuous vigilance and comprehensive audits in the decentralized finance space. Investors and users are advised to stay informed about developments and exercise caution when engaging with DeFi platforms.