UwU Lend Hacked Again for $3.7 Million

Another substantial security breach has occurred today at UwU Lend, a decentralized finance (DeFi) lending protocol, culminating in an estimated $3.7 million loss.

Like the previous breach, this attack targeted multiple liquidity pools and converted the stolen assets into Ethereum. This incident represents the most recent high-profile breach that has affected UwU Lend. The hacker continues to possess all of the funds in the wallet now.

UwU Lend Lost $3.7 Million Again

Today, UwU Lend suffered another significant security compromise, losing approximately $3.7 million. The same attacker responsible for a previous breach targeted the decentralized finance (DeFi) protocol, renowned for its lending services.

This most recent exploit has impacted numerous pools, such as uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. All stolen assets have been converted to Ethereum (ETH) and are presently located at the attacker’s address, “0x841ddf093f5188989fa1524e7b893de64b421f47”).

Here is the Ether Scan link: https://etherscan.io/address/0x841ddf093f5188989fa1524e7b893de64b421f47.

The attack occurred at 07:46:23 AM +UTC on June 13, 2024. The attacker employed a sophisticated approach to circumvent security measures, similar to the previous intrusion, as reported by Cyvers Alerts.

In the initial compromise, the attacker accessed UwU Lend’s smart contracts and manipulated them to drain funds from various liquidity pools.

To obscure their trace, the stolen assets, which included numerous stablecoins and other tokens, were converted into Ethereum. The assets are currently being stored in the attacker’s wallet, and efforts are being made to locate and retrieve the funds.

Attacks on UwU Lend in the Past

UwU Lend was previously hacked for roughly $20 million on June 10. The price oracle of the protocol, precisely the USD asset, was manipulated by this exploit.

The attacker funded the exploit by conducting three transactions within six minutes, draining substantial assets, using the Tornado Cash crypto-mixing protocol.

The immediate response was to halt the protocol and reduce the borrowing and deposit rates to zero to prevent additional losses. The UwU Lend team has been conducting an intensive investigation into the incident to enhance security measures and comprehend the assault vector.

However, despite efforts to mitigate the impact, the perpetrator successfully exploited vulnerabilities, converting stolen assets to Ethereum and complicating recovery efforts.

On June 11, Michael Patryn, the founder of UwU Lend and known as 0xSifu, proposed an agreement to the hacker in response to the previous attack. In exchange for the return of approximately $16 million in stolen funds, he proposed to waive prospective charges.

The hacker of this new breach is still holding the funds in a wallet, and as of the time of writing, there has been no update on the previous hack.