DeFi Double Whammy: UwULend Hacked for Over $23 Million
Magnus Woodgate | Principal Researcher @ Romulus Technologies
The world of Decentralized Finance (DeFi) has been rocked by a series of high-profile hacks in recent months.
This time, it was UwU Lend's turn to face the wrath of cybercriminals. In a double blow, the platform suffered not one, but two separate exploits, resulting in total losses exceeding $23 million. Buckle up as we dive into the details of this DeFi heist and explore the security concerns it raises for the future of the industry.
What is uwulend?
UwU Lend is an Ethereum-based DeFi lending and liquidity protocol. Built on the open-source code of AAVE v2, it offered functionalities common to DeFi platforms: users could deposit crypto assets to earn interest by supplying liquidity to lending pools.
Conversely, users could borrow cryptocurrencies by depositing other digital assets as collateral.
The platform aimed to incentivize participation by sharing a portion of its revenue with users through its native UwU token.
What exactly happened…the first time?
The first attack, detected on June 10th, showcased a clever manipulation tactic. Hackers utilized a DeFi lending trick called "flash loans" to artificially inflate the price of a stablecoin, specifically UwU Lend's sUSDe.
The UwU Lend team sent their thanks to Hypernative Labs for first notifying the team about the hack:
Flash loans allow borrowers to take out massive amounts of cryptocurrency upfront, on the condition it is all repaid within the same transaction.
In this case, the hackers used the loaned funds to manipulate the price feed of sUSDe, making it appear much higher than its actual value.
This deceived UwU Lend's protocol, allowing the attackers to borrow real assets at a seemingly discounted rate before quickly dropping the sUSDe price and draining the borrowed assets from the platform, leaving UwU Lend with a hefty bill to foot.
The UwU Lend hack, which unfolded in two parts this June, exploited vulnerabilities in the platform's price oracle system.
Here's a breakdown of the first attack:
Flash Loan Manipulation: Hackers leveraged a flash loan mechanism, likely from a service like Aave or dYdX. This allowed them to borrow a massive amount of assets (likely stablecoins like USDC) without upfront collateral, with the requirement to repay it within the same transaction.
sUSDe Price Manipulation: The borrowed assets were then used to manipulate the price feed of UwU Lend's sUSDe (wrapped USDe) token. This could have involved a series of large, rapid trades within a specific liquidity pool (like CurveFinance) where sUSDe was paired with other assets. By strategically buying and selling sUSDe, the hackers could artificially inflate its price.
Exploiting the Inflated Price: With the sUSDe price artificially high, the attackers deposited a smaller amount of real collateral (potentially other cryptocurrencies) into UwU Lend. Due to the manipulated sUSDe price, the platform's protocol allowed them to borrow a much larger amount of other crypto assets at a seemingly discounted rate (based on the inflated sUSDe value).
Rapid Exit: Once the desired assets were borrowed, the hackers quickly reversed their manipulation tactics, dumping the large amount of sUSDe borrowed from the flash loan. This sent the sUSDe price plummeting back to its actual value. However, since they had already borrowed the real assets, they could now drain them from the platform and convert them into a more liquid cryptocurrency like Ethereum (ETH) before repaying the flash loan.
You can check out the on-chain attack transactions if interested:
https://etherscan.io/tx/0x242a0fb4fde9de0dc2fd42e8db743cbc197ffa2bf6a036ba0bba303df296408b
https://etherscan.io/tx/0xb3f067618ce54bc26a960b660cfc28f9ea0315e2e9a1a855ede1508eb4017376
https://etherscan.io/tx/0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3
All in all, this attack resulted in a significant loss for UwU Lend, estimated to be around $19.3 million in various cryptocurrencies.
While the platform claimed to have patched the vulnerability, a follow-up attack just days later exposed further security weaknesses within the protocol.
And the second time?
At this point, the UwU Lend team then posted stating that the vulnerability had been fixed, and the source code re-reviewed. It was acknowledged that this was due to their sUSDe market oracle specifically:
The bad debt was then repayed by the UWU Lend team:
The protocol was then attacked again (by the same attacker) 3 days later, this time draining an additional $3.7 million in assets (~1064 ETH)
See the original TX: https://etherscan.io/tx/0x9235e0662e230bdfa94f56f4932fd09a95fea17e4b9b44a4f40a59449e216110
The second UwU Lend attacker’s ETH transfers.
Although there was no formal description of exactly how this second attack took place, it seems to follow a very similar pattern to the first attack.
UwU Lend then came forward on the 27th of June, stating that more bad debt had been repaid:
What can be done to avoid this in future?
DeFi cybersecurity remains a work in progress. While the technology offers revolutionary financial possibilities, it's still vulnerable to exploitation. This is why a diverse pool of security researchers and smart contract auditors is crucial. These experts act as the DeFi security net, identifying and patching vulnerabilities before attackers can leverage them. Their varied skillsets and perspectives are essential for a thorough analysis.
If you’re looking to get your smart contract project audited, or a more bespoke security solution - don’t hestitate to reach out.
Looking for ASSISTANCE?
Romulus Technologies is a Swiss based DeFi research firm specializing in security and low-level on-chain topics. If you are looking to get your project’s smart contracts audited, optimize for gas usage or get an expert review of your system architecture don’t hestiate to reach out on info@romulus-technologies.xyz.
Disclaimer
The information provided on this blog is for general informational and educational purposes only. It is not intended as, and should not be construed as, financial advice. The content represents the personal opinions and views of the author, which are subject to change. We do not warrant or guarantee the accuracy, completeness, or adequacy of the information presented. The information contained on this blog is for general informational purposes only and does not constitute financial or investment advice. DeFi (Decentralized Finance) is a rapidly evolving and complex field with inherent risks. The content on this blog is not intended to be a substitute for professional financial advice.