Blockchain security firm Cybers Alert reported that a serious exploit against DeFi lending protocol UwU Lend resulted in losses of approximately $19.5 million.
The attackers funded the wallet through Tornado Cash, an approved cryptocurrency mixer.
Meir Dolev, Co-Founder and CTO of Cybers, said: CryptoSlate From a June 10 statement:
“The UWU loan contract was exploited by attackers who executed three transactions in six minutes and caused approximately $20 million in losses.”
On-chain data showed that the attacker’s wallet moved several digital assets, including stablecoins such as Wrapped Ethereum (WETH), Wrapped Bitcoin (WBTC), and USDC. The attacker’s address was tagged as UwU Lend Exploiter on Etherscan.
Web3 security company PeckShield further corroborated this incident, adding that the root cause of the attack was a price oracle issue. It said:
“Specifically, the sUSDe asset is priced at the median across multiple sources. Among them, five were manipulated during the hacking process: FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe.”
Meanwhile, UwU Lend confirmed the incident and immediately suspended its platform. The protocol said:
“(We) are taking all necessary measures (and) doing our best here. Stay tuned for further updates.”
TVL surge?
Despite the exploit, the total value of assets locked in DeFi protocol UwU Lend has surged 135% in the last 24 hours.
According to data from DeFiLlama, UwU Lend currently holds over 82,000 ETH worth $305 million. However, about $247 million of these funds were borrowed.
UwU Lend was developed by Michael Patryn, also known as Sifu or 0xSifu, the founder of the controversial Quadriga CX exchange. The platform allows depositors to earn passive income by providing liquidity, while borrowers can obtain liquidity by way of over-collateralization. Additionally, liquidity providers provide liquidity and earn profits by staking LP tokens.