By
Godfrey Benjamin
July 1st, 2024
UwU Lend has yet to publicly acknowledge the second attack and the cause is still unknown.
UwU Lend, a blockchain lending platform, suffered a second exploit just as it began reimbursing victims from a recent $20 million hack. The initial attack on June 10 involved hackers manipulating the prices of USDe tokens to steal other cryptocurrencies from the platform.
On June 13, the protocol announced on X that it had started the payouts for all bad debts in the $wETH market, which totaled around 481.36 $wETH ($1,734,042). It also said it has refunded victims 80% of their assets on the network before the attack.
During this process, hackers struck the platform again, draining more funds from the protocol.
Cyvers, an on-chain data analytics firm, detected irregularities on the protocol and immediately alerted UwU Lend. The company confirmed that the attackers behind this new breach were the same individuals responsible for the earlier $20 million theft.
🚨ALERT🚨Hey @UwU_Lend, you are being targeted again by same hacker!
Look at this trx: https://t.co/RstdittKpK
More info will follow!
Want to keep your company off our alerts radar? Learn how to secure your assets: Book a Demo 🚀 https://t.co/uUbFkFTp4h#CyversAlert pic.twitter.com/mMMTByHNkK
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) June 13, 2024
Details of the Second Exploit
The latest exploit has already drained $3.5 million from various asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. At the time of writing, the criminals have successfully swapped the stolen assets for Ethereum (ETH).
The timing of this attack could not be worse for UwU Lend. Just as the team was making progress in repaying their debt, they now face additional losses and heightened security concerns. However, the protocol was able to repay a total of $9,715,288 before the second attack.
On June 12, UwU Lend announced that it had identified the cause of the first exploit, which led to the suspension of all activities on the network. According to the platform, the cause of the first attack was “unique to the USDe market oracle”.
The platform claimed it had fixed the bug and would gradually restart the network, adding that other market oracles on the platform were “re-reviewed by industry professionals and auditors with no issues or concerns found”.
Ongoing Challenges
Despite these claims, the hackers still found a way to exploit the platform again. UwU Lend has yet to publicly acknowledge the second attack and the cause is still unknown.
Meanwhile, the repeated breaches on UwU Lend underscore the vulnerabilities within decentralized finance (DeFi) platforms. Many platforms in the DeFi ecosystem have suffered massive exploits this year.
In March, cybercriminals stole $8.75 million from Woofi when attackers exploited vulnerabilities in its Swap Synthetic Proactive Market Making (sPMM). Another platform, Hedgey Finance, a token infrastructure protocol, was hit with two parallel exploits resulting in the loss of $44.7 million worth of cryptocurrencies. According to CertiK, the first three months of 2024 witnessed a series of hacks that wiped out more than $502 million worth of digital assets from the industry.