UwU Lend hit by another $3.7 million hack amid reimbursement efforts

The protocol is being targeted by the same attackers responsible for the initial $20 million exploit.

UwU Lend hit by another $3.7 million hack amid reimbursement efforts

Share this article

In a troubling development, the UwU Lend protocol, which fell victim to a nearly $20 million hack on June 10, is now facing another ongoing exploit. Onchain data analytics platform Cyvers has alerted the protocol to the attack, asserting that the same attackers responsible for the previous exploit are behind this latest incident.

The ongoing exploit has already drained $3.5 million from several asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen assets have been converted to Ether (ETH) and are currently held at the attacker’s address. Etherscan has tagged the address in question accordingly based on a report by Togbe, one of the first X users to bring attention to the initial hack.

This latest attack comes just three days after the initial $20 million exploit, which was caused by price manipulation.

According to the analysis from Cyvers, the attackers used a flash loan to swap USDe for other tokens, leading to a lower price of Ethena USDe (USDE) and Ethena Staked USDe (SUSDE). They then deposited the tokens to UwU Lend and lent more SUSDE than expected, driving the USDE price higher. The attackers also deposited SUSDE to UwU Lend and borrowed more Curve DAO (CRV) than anticipated.

Through these tactics, the attackers managed to steal nearly $20 million in tokens.

Notably, a recent report on CRV liquidations from Lookonchain shows that Curve Finance founder Michael Egorov borrowed various stablecoins from DeFi platforms, including UwU Lend. Egorov made loan positions worth roughly $5 million in USDT and DAI over UwU Lend.

Ironically, the UwU Lend protocol had just begun reimbursing victims of the previous hack when the second exploit occurred.

The protocol announced on X that it had repaid all bad debt for the Wrapped Ether (wETH) market, amounting to 481.36 wETH worth over $1.7 million. In total, UwU Lend has reimbursed over $9.7 million to date.

Following the first exploit, UwU claimed to have identified and resolved the vulnerability responsible, which was reportedly unique to the USDe market oracle. The protocol stated that all other markets had been re-reviewed by industry professionals and auditors, with “no issues or concerns found.”

However, crypto security firm CertiK has revealed to that the ongoing exploit is not the result of the same vulnerability but rather a consequence of the initial attack. CertiK explains that the attacker had gained a significant number of uUSDE tokens from the first exploit and was still holding them.

Despite the protocol being paused, UwU Lend still considered uUSDE as a “legitimate collateral,” explains CertiK. This condition allowed the threat actors to exploit the remaining uUSDE amounts and drain all other UwULend pools.

Share this article