UwU Lend Reacts to $23 Million Hack, Halts Protocol and Engages with Hacker
UwU Lend, a lending protocol established by Sifu, the former CFO of Frog Nation, faced a substantial $19.4 million loss as a result of an oracle manipulation attack.
Initially discovered by Cyvers, the exploit unfolded through a complex sequence of three transactions completed in a mere six minutes. The hackers swiftly converted stolen Wrapped Bitcoin (WBTC) and Dai (DAI) into Ether (ETH) after receiving funds from Tornado Cash.
UwU Lend was targeted in a $20 million Oracle Manipulation Attack, prompting the founder to propose a deal with the hacker to mitigate the damage.
On June 10th, the decentralized finance (DeFi) protocol UwU Lend fell victim to a hack, resulting in an ongoing cryptocurrency exploit worth nearly $20 million. Cyvers, an on-chain security firm, was the first to uncover the incident and alerted the community through a post on the social media platform X.
According to Cyvers, UwU Lend, a liquidity market enabling users to deposit and borrow digital assets, was attacked through a series of intricate transactions. The exploit swiftly escalated, surpassing $20 million in stolen funds within an hour of the initial alert.
The attack, funded through Tornado Cash, a crypto-mixing protocol, was carried out with remarkable speed and precision. In just six minutes, the hacker executed three malicious transactions, draining approximately $20 million. Cyvers revealed that the funding for the attack had been received from Tornado Cash two days prior to the exploit.
Peckshield identified the root cause as a price oracle issue involving the sUSDe asset, priced based on a median from multiple sources. The attacker manipulated five sources during the hack, leading to the exploit.
In response to the attack, UwU Lend promptly halted its protocol to prevent further losses and adjusted the borrowing and deposit rates to 0% to safeguard users’ positions. The team issued a statement on their X page detailing their immediate actions and ongoing investigation.
Michael Patryn, also known as 0xSifu, the founder of UwU Lend, extended an offer to the hacker to return approximately $16 million in crypto in exchange for dropping potential charges. This offer was communicated through an on-chain message.
As the stolen assets, including significant amounts of various cryptocurrencies, are currently held in two addresses, the total estimated loss stands at around $23 million.
UwU Lend, functioning as a liquidity market for digital assets, reassured users that most deposited assets, including SIFU, VOLTA, FRAX, and other markets, were unaffected by the hack. Peckshield’s audit of UwU Lend’s code had previously characterized it as well-designed and engineered, with no high-severity or critical issues detected.
With the surge in stolen funds in the first quarter of 2024 reaching $542.7 million, a 42% increase compared to the same period in 2023, crypto hackers may be on track to surpass the previous year in terms of stolen digital assets. The escalating value of cryptocurrencies has attracted malicious actors, driving them to exploit vulnerabilities within the crypto ecosystem.