UwU Lend Reacts to $23 Million Hack, Pauses Protocol and Negotiates with Hacker
Uwu Lend, a lending protocol founded by Frog Nation’s former CFO Sifu, suffered a $19.4 million loss due to an oracle manipulation attack.
Cyvers first identified the exploit, revealing a sophisticated series of three transactions executed within six minutes. The attackers converted stolen Wrapped Bitcoin (WBTC) and Dai (DAI) into Ether (ETH) after being funded from Tornado Cash.
UwU Lend Hit by $20 Million Oracle Manipulation Attack, Founder Offers Deal to Hacker
🚨ALERT🚨Hey @UwU_Lend, you are being attacked!
So far address got around $14M
More update will follow!
Please contact us to learn how to secure your digital assets!#CyversAlert pic.twitter.com/IND77hbTbH
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) June 10, 2024
On Monday, June 10, UwU Lend, a decentralized finance (DeFi) protocol, was hacked for nearly $20 million in an ongoing cryptocurrency exploit. The incident was first identified by on-chain security firm Cyvers, which alerted the community with a post on social media platform X:
“Hey @UwU_Lend, you are being attacked! So far, the address got around $14M…”
According to Cyvers, UwU Lend, which functions as a liquidity market allowing users to deposit and borrow digital assets, was attacked through a sophisticated series of transactions. The exploit quickly escalated, surpassing $20 million in stolen funds within an hour of the initial alert.
The attack, funded through the crypto-mixing protocol Tornado Cash, was executed with remarkable speed and precision. The hacker performed three malicious transactions in just six minutes, draining approximately $20 million. Cyvers disclosed that the funding for the attack was received from Tornado Cash two days before the exploit.
Today's @UwU_Lend hack leads to $19.4m loss.
The root cause is a price oracle issue. In particular, the sUSDe asset is priced as median from multiple sources. Five of them, i.e., FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe, were manipulated during the hack.
The stolen… https://t.co/4ec92zxoql pic.twitter.com/xuGGegfDpV
— PeckShield Inc. (@peckshield) June 10, 2024
According to Peckshield, the root cause was a price oracle issue involving the sUSDe asset, priced based on a median from multiple sources. The attacker manipulated five sources during the hack, causing the exploit.
Yesterday UwU Lend was the target of an exploit involving a sophisticated attack. The team reacted swiftly and the protocol was paused within minutes. Rates for borrows and deposits have been set to 0% so users’ positions will not be affected by this pause.
— UwU Lend (@UwU_Lend) June 11, 2024
In response to the attack, UwU Lend swiftly paused its protocol to prevent further losses and set the borrowing and deposit rates to 0% to protect users’ positions. The team issued a statement on their X page, explaining their immediate actions and ongoing investigation:
“We have made an offer to the hacker and are awaiting a response. The protocol will remain paused until the investigation has concluded. Thank you for your patience during this time.”
Michael Patryn, also known as 0xSifu, the founder of UwU Lend, offered the hacker a deal to return about $16 million in crypto in exchange for dropping potential charges. He stated in an on-chain message:
“We are offering a 20% white hat bounty of any funds taken. You will face no risk of us pursuing this further and no risk of law enforcement issues.”
Post-deadline, the bounty would be offered to anyone who could expose and help bring the exploiter to justice. Meanwhile, another individual sent an on-chain message to the hacker with instructions on how to move the funds without getting caught, adding another layer of complexity to the situation.
The stolen assets, which include significant amounts of WETH, WBTC, bLUSD, crvUSD, sDAI, CRV, DAI, USDT, and sUSDe, are currently parked in two addresses. The total estimated loss stands at approximately $23 million.
Crypto Hackers Poised to Surpass 2023 with Record-Breaking Thefts in 2024
UwU Lend, which operates as a liquidity market allowing users to deposit and borrow digital assets, has assured users that the hack did not affect most deposited assets, including SIFU, VOLTA, FRAX, and several other markets.
UwuLend’s audit by Peckshield had previously characterized the code as “well designed and engineered,” with “no high-severity or critical issues” detected.
Crypto hackers may be on track to surpass 2023 regarding stolen digital assets. In the first quarter of 2024, hackers stole digital assets valued at $542.7 million, a 42% increase compared to the same period in 2023.
The surge in stolen funds can be attributed to the rising valuation of cryptocurrencies, which has increasingly attracted malicious actors since the beginning of 2024. As the value of digital assets climbs, so does the incentive for hackers to exploit vulnerabilities within the crypto ecosystem.
