Breaking: UwU Lend Suffers Another Hack, Losing $3.7M

UwU Lend, a decentralized finance (DeFi) lending protocol, has suffered another significant security breach today, resulting in an approximately $3.7 million loss.

This attack, executed similarly to the previous hack, targeted multiple liquidity pools and converted the stolen assets into Ethereum.This incident marks the latest high-profile breach affecting UwU Lend. At the time of writing, the Hacker still holds all the funds in the wallet.

UwU Lend Lost $3.7 Again

Today, UwU Lend suffered another significant security breach, losing approximately $3.7 million. The decentralized finance (DeFi) protocol, known for its lending services, was targeted by the same attacker responsible for a previous hack.

This most recent exploit affected several pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT, with all stolen assets converted to Ethereum (ETH) and currently residing at the attacker’s address “0x841ddf093f5188989fa1524e7b893de64b421f47.”

Ether Scan here: https://etherscan.io/address/0x841ddf093f5188989fa1524e7b893de64b421f47 .

The attack occurred on June 13, 2024, at 07:46:23 AM +UTC. According to Cyvers Alerts , the attacker used a sophisticated method to bypass security measures, similar to the previous breach. The initial breach involved the attacker gaining access to UwU Lend’s smart contracts and manipulating them to drain funds from various liquidity pools.

The stolen assets, including multiple stablecoins and other tokens, were converted into Ethereum to obfuscate their trail. Currently, the assets are held in the attacker’s wallet, and efforts to trace and recover the funds are ongoing.

Previous Attacks on UwU Lend

On June 10, UwU Lend was previously hacked for nearly $20 million . This exploit manipulated the protocol’s price oracle, particularly the sUSDe asset. The attacker utilized the Tornado Cash crypto-mixing protocol to fund the exploit, executing three transactions within six minutes to drain significant assets.

The immediate response included pausing the protocol and adjusting borrowing and deposit rates to zero to prevent further losses. The UwU Lend team has been actively investigating the incident to understand the attack vector and bolster security measures.

Despite efforts to mitigate the impact, the attacker exploited vulnerabilities effectively, converting stolen assets to Ethereum and complicating recovery efforts.

In response to the previous attack, Michael Patryn, known as 0xSifu and the founder of UwU Lend, proposed a deal to the hacker on June 11. He offered to drop potential charges in exchange for the return of about $16 million in stolen funds .

As of the time of writing, no update has been received regarding the last hack, and the hacker of this new hack still holds the fund in a wallet.