By: Eliza Bennet
The DeFi lending protocol, UwU Lend, recently faced a significant security breach resulting in a $19.5 million loss. Blockchain security firm Cyvers Alert reported the exploit, which was facilitated through the sanctioned crypto mixer Tornado Cash. The attacker executed three transactions in a span of six minutes to drain the funds, according to Cyvers co-founder and CTO Meir Dolev.
On-chain data reveals that the attacker’s wallet managed to move several digital assets including wrapped Ethereum (WETH), wrapped Bitcoin (WBTC), and stablecoins like USDC. The wallet address has since been flagged as the UwU Lend Exploiter on Etherscan, a leading blockchain analytics platform.
Web3 security firm PeckShield corroborated the incident, attributing the exploit to a price oracle issue. PeckShield explained that the sUSDe asset was priced based on a median of multiple sources which were manipulated during the attack. The affected sources included FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe. This manipulation enabled the attacker to deceive the price oracle and exploit the protocol successfully.
In response to the breach, UwU Lend confirmed the halt of its platform operations. "[We are] taking all necessary steps [and] doing our best here. Stay tuned for further updates," the protocol announced.
Despite the hack, UwU Lend experienced a 135% surge in its total value locked (TVL) over the past 24 hours. Data from DeFiLlama indicates that UwU Lend currently holds over 82,000 ETH, valued at $305 million. However, it is noteworthy that approximately $247 million of these assets are borrowed funds.
UwU Lend was founded by Michael Patryn, also known as Sifu or 0xSifu, a controversial figure who co-founded the now-defunct Quadriga CX exchange. The platform allows depositors to provide liquidity and earn passive income while enabling borrowers to obtain liquidity in an over-collateralized manner. Additionally, liquidity providers can earn revenue by staking their LP tokens.