Published
3 days ago on
June 14, 2024
Table of Contents
The team behind the UwU Lend protocol has offered a $5 million bounty to whoever can identify its attacker after the protocol was exploited for a second time.
The hacker behind the UwU Lend protocol has stolen a combined $24 million over two attacks.
UwU Lend Team Offers Bounty
DeFi lending protocol UwU Lend suffered two hacks over the past three days, with the second attack occurring on Thursday when the protocol was in the middle of the reimbursement process after the first attack. UwU Lend had given the hacker a deadline to return 80% of the stolen funds. However, after this deadline was not met, the team sent an on-chain message to the hacker, stating,
“The repayment deadline for the funds you stole has passed. 5 Million Dollar bounty to the first person to identify and locate you.”
UwU Lend stated that the $5 million bounty will be paid out in ETH and given to the first individual who can locate the hacker behind the two exploits. The developments come after the same hacker pulled off a second exploit stealing funds from UwU’s uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT pools on June 13th. Blockchain security firm Cyvers stated that the same hacker carried out both exploits targeting the protocol.
The First Exploit
UwU Lend was hit by an exploit on June 10th. The protocol lost $19.3 million during the exploit, orchestrated through flash loans. The team at UwU Lend paused the protocol following the exploit and assured users that most assets were safe. UwU Lend also offered the hacker a $4 million white hat bounty to return the stolen funds, which included Wrapped Ethereum (wETH), Wrapped Bitcoin (wBTC), Curve DAO (CRV), Tether (USDT), Staked USDe (sUSDe), and several others.
According to security firm Beosin, the attacker manipulated the price of USDe by using flash loans to swap it for other tokens. This led to a decrease in the price of USDe and sUSDe. The hacker then deposited some of the tokens to UwU Lend, lending more sUSDe and driving the price of USDe higher. The hacker used the same tactic with sUSDe and borrowed CRV.
By Wednesday, the team at UwU Lend informed users it had identified the vulnerability leading to the exploit and resolved it. As a result, the protocol was unpaused, and the markets were relaunched. The team also announced it would repay all its bad debts and that user funds had not been impacted during the exploit.
The Second Attack
UwU Lend suffered a second attack on Thursday while the protocol was in the middle of its reimbursement. The second exploit saw the same attacker drain a further $3.7 million from the protocol and convert the stolen funds into ETH. The pools impacted during the second attack were uDAI, uWETH, uLUSD, uFRAX, UCRVUSD, and uUSDT. This exploit was the result of a price manipulation attack.
Many in the crypto community were concerned following the second attack and raised questions about the safety of the funds with UwU Lend. Following the attack, the protocol paused operations for the second time in a week to investigate the exploit.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Investment Disclaimer
