Cyvers Alert, a blockchain security firm, has disclosed a significant exploit on the DeFi lending protocol UwU Lend, culminating in a staggering loss of approximately $19.5 million. The exploit unfolded as the attacker funded their wallet through the crypto mixer Tornado Cash before executing a series of transactions within a short span of six minutes, effectively draining the UwU lending contract of nearly $20 million. Despite the swift action taken by UwU Lend to pause its platform and address the incident, the attacker managed to move various digital assets, including wrapped Ethereum (WETH), wrapped Bitcoin (WBTC), and stablecoins like USDC, to their wallet.
PeckShield, a Web3 security firm, confirmed the exploit and identified the root cause as a price oracle issue within the UwU Lend protocol. Specifically, the manipulation of assets such as sUSDe from multiple sources contributed to the vulnerability exploited by the attacker during the hack. While UwU Lend is diligently working to rectify the situation and has paused its platform temporarily, the incident underscores the ongoing challenges faced by DeFi protocols in maintaining robust security measures amidst the growing sophistication of attackers.
Despite the exploit, there has been a surge in the total value of assets locked (TVL) on the UwU Lend platform, experiencing a notable increase of 135% in the last 24 hours. Currently, UwU Lend holds over 82,000 ETH, valued at $305 million, although a substantial portion of these funds are borrowed. Developed by Michael Patryn, also known as Sifu or 0xSifu, UwU Lend enables depositors to provide liquidity and earn passive income, while borrowers can access liquidity in an over-collateralized manner. Additionally, liquidity providers have the opportunity to stake their LP tokens and earn revenue.
