UwU Lend Hacked Again During $20 Million Payback

Written by Aaron S.,

Editor-In-Chief

Last Updated: June 13, 2024

Key Takeaways

UwU Lend faces a second hack, losing $3.7 million during its $20 million reimbursement process;
The initial exploit involved price manipulation using flash loans;
Despite resolving the initial vulnerability, UwU Lend's continued recognition of uUSDE allowed attackers to exploit the remaining tokens and drain the pools.

The crypto lending platform UwU Lend has suffered another hack, just as it was recovering from a prior $20 million exploit on June 10.

The protocol was alerted to the new attack by the Web3 security firm Cyvers, which indicated that the same perpetrators were responsible for both incidents.

Cyvers reported that the latest breach has resulted in the theft of $3.7 million from various asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT.

Harmony ONE Explained (Beginner-Friendly Animation)

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

In the first breach, the attacker manipulated prices by using a flash loan to exchange Ethena USDe (USDe) for other tokens, causing a drop in the prices of USDe and Ethena Staked USDe (SUSDe). The attacker then deposited these tokens into UwU Lend, enabling them to borrow more SUSDe than usual, increasing the price of USDe.

The exploiter also deposited SUSDe into UwU Lend and borrowed more Curve DAO (CRV) than typically possible. Through these strategies, nearly $20 million worth of tokens were stolen, all of which were converted into Ether (ETH).

In response to the initial breach, UwU Lend began reimbursing affected users. They announced on X that they had cleared all bad debt in the Wrapped Ether (wETH) market, amounting to 481.36 wETH (over $1.7 million), and had reimbursed a total of over $9.7 million.

UwU Lend stated they had identified and resolved the vulnerability that facilitated the first exploit. Additionally, they reported that other markets had been thoroughly reviewed by industry experts and auditors, with no further issues found.

However, crypto security firm CertiK clarified that the latest attack did not stem from the same vulnerability; instead, it was a consequence of the initial exploit. Despite the protocol being paused, UwU Lend's continued recognition of uUSDE as valid collateral allowed the attackers, who still held a significant number of uUSDE tokens, to exploit these tokens and drain the remaining pools.

This second breach highlights the challenges in securing decentralized finance platforms, emphasizing the need for strict measures to protect user assets.

In other news, hackers recently used a Google Chrome plugin designed to access browser cookies and stole over $1 million from a Binance user.