This article is more than six months old

UwU Lend hacker swipes another $3.7m amid payback plan for earlier attack

UwU Lend hacker swipes another $3.7m amid payback plan for earlier attack
DeFi
The UwU Lend hacker has swiped another $3.7 million after exploiting the protocol for $23 million earlier in the week. Credit: Darren Joseph
  • The UwU Lend hacker returns to swipe another $3.7 million.
  • The lending protocol was hacked using a flash loan for $23 million on Monday.

UwU Lend users rejoiced on Wednesday after the lending protocol said it was able to fully reimburse victims of its recent $23 million exploit.

But their celebrations were cut short when at 7:46 am London time, the same hacker returned to take another $3.7 million.

That’s despite UwU Lend offering the hacker a 20% bounty — worth $4 million — to return users’ funds from a Monday hack.

According to Yaron Velner, CEO of risk management project B.Protocol, the hacker was able to drain more money from the protocol using its intended functions due to an oversight from its developers.

“The operation today did not entail any manipulation. Just a malicious intent, and erroneous configuration on UwU side,” he told DL News.

It comes after UwU Lend said in a June 12 X post that it had identified and fixed the vulnerability in its sUSDe market that the hacker previously exploited.

“All other markets have been re-reviewed by industry professionals and auditors with no issues or concerns found,” the protocol said.

UwU Lend did not return a request for comment.

Join the community to get our latest stories and updates

UwU Lend began repaying users on Wednesday after the $23 million exploit forced it temporarily offline.

As of 5 am on Thursday, the protocol said it had repaid about $9.7 million stolen in the first hack.

“The protocol will repay all bad debt, as quickly as reasonably possible,” UwU Lend said. “We are happy to announce that no user funds have been lost due to this process.”

UwU Lend’s controversial founder Michael Patryn, better known by his pseudonym 0xSifu, had previously offered to drop any charges if the hacker returned 80% of the stolen crypto, worth about $18 million.

Oracle attack

On Monday, a hacker used a $4 billion flash loan to manipulate the price of certain tokens on UwU Lend, which allowed them to drain the protocol.

A flash loan is a type of DeFi transaction where a user borrows funds from a lending protocol and repays them in the same transaction.

While flash loans are often used by market makers to quickly arbitrage price differences in DeFi markets, they also make possible exploits that require large amounts of capital to perform.

Zircuit co-founder Martin Derka — who co-developed a tool to detect flash loan-based exploits while at crypto security firm Quantstamp — said such exploits were notorious in DeFi.

“These kinds of vulnerabilities are usually very difficult to discover during smart contract audits, because they require in-depth knowledge of multiple protocols — those that one is auditing, and those that are being used as oracles,” he told DL News.

“There are also not enough automated tools that are capable of discovering such vulnerabilities.”

Launched in 2022, UwU Lend is a fork of Aave, the largest DeFi lending protocol with $12.4 billion of deposits.

A fork is where a developer team uses the open-source code from an existing DeFi protocol to launch a similar protocol — often on a different blockchain or with minor changes.

But the changes to Aave’s code allowed the hacker to drain UwU Lend. The protocol used easily manipulated oracles — software that provides it with the prices of various tokens.

UwU Lend’s UWU token is down 15% over the past week, and trades at around $2.70.

Update, June 13: This article was updated to include comments from B.Protocol CEO Yaron Velner that clarify the $3.7 million theft was not caused by a separate exploit. An earlier version misstated the name of the blockchain Martin Derka co-founded; it is Zircuit, not Circuit.

Aleks Gilbert is a DeFi Correspondent at DL News. Got a tip? Email him at aleks@dlnews.com.

Related Topics