UwU Lend, a popular protocol, fell victim to yet another major hack, losing $3.5 million in assets from various pools such as uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen funds were swiftly converted to ETH and sent to the attacker’s address, 0x841dDf093f5188989fA1524e7B893de64B421f47. Cyvers, an onchain data analytic platform, notified UwU Lend about the breach, linking it to the same attackers responsible for the previous $20 million theft.
The initial hack on June 10 involved price manipulation, with the attacker utilizing a flash loan to swap USDe for other tokens, causing a drop in the value of $USDe and $sUSDe. By depositing these tokens into UwU Lend and borrowing more than expected, the attacker drove up the $USDe price and made off with nearly $20 million in tokens, which were then converted to ETH.
As UwU Lend was in the process of reimbursing victims of the first hack, the second attack disrupted their efforts. Despite having repaid a significant amount, including 481.36 $wETH totaling $1,734,042, the protocol had reimbursed a total of $9,715,288 before the second breach occurred.
Following the incidents, UwU Lend identified and resolved the vulnerability that led to the initial exploit, assuring users that all other markets had been thoroughly reviewed by professionals and auditors with no further issues found. This serves as a stark reminder of the importance of consistent monitoring and robust security measures in the DeFi space.