The UwU Lend protocol, recently targeted in a $20 million hack on June 10, has been struck again in an ongoing exploit. Onchain analytics platform Cyvers flagged the attack, linking it to the same culprits behind the initial breach.
In this new attack, $3.5 million has already been siphoned from various asset pools including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen funds have been converted to Ether and are now held at the attacker’s address: 0x841dDf093f5188989fA1524e7B893de64B421f47.
The initial exploit, occurring just days before the second, exploited a vulnerability in the price manipulation of Ethena USDe (USDE) and Ethena Staked USDe (SUSDE). The attacker used a flash loan to swap USDe, causing its price to plummet. They then deposited the tokens into UwU Lend, borrowing more SUSDE and CRV tokens than anticipated, ultimately stealing nearly $20 million. These funds were also converted into Ether.
Amid these challenges, UwU Lend was actively reimbursing victims of the first hack. The protocol announced on social media platform X that it had repaid over $9.7 million, including 481.36 wETH worth over $1.7 million. UwU identified the vulnerability in the USDe market oracle as the root cause and claimed to have resolved it, with all other markets re-reviewed by professionals and auditors.
However, according to crypto security firm CertiK, the second exploit is not a repeat of the initial vulnerability but a consequence of it. The attacker still possessed sUSDE tokens from the first exploit. Despite pausing the protocol, UwU Lend considered these tokens as valid collateral, allowing the attacker to drain the remaining pools.
As UwU Lend grapples with these consecutive attacks, the crypto community watches closely, emphasizing the need for robust security measures in decentralized finance platforms.