TLDR
- On Monday, June 10, UwU Lend—a decentralized finance protocol—suffered a hack that resulted in nearly $20 million in losses.
- The exploit was initially identified by Cyvers, an on-chain security company, who immediately informed UwU Lend of the ongoing breach.
- The attacker executed a flash loan to distort the price feed and exploit a flaw in the protocol's price oracle system.
- Co-founder of UwU Lend, Michael Patryn, who also goes by 0xSifu, proposed a 20% bounty (about $4 million) to the hacker to retrieve the remaining assets.
- The situation sheds light on the susceptibility of DeFi platforms and the crucial necessity for enhanced security protocols to fend off such attacks in the future.
The decentralized finance protocol UwU Lend has become the latest casualty of a substantial cryptocurrency breach, with thieves redirecting nearly $20 million in digital funds on Monday, June 10.
Today's @UwU_Lend hack leads to $19.4m loss.
The underlying issue is linked to a vulnerability in the price oracle. Specifically, the sUSDe asset is valued as a median from several sources; five of them—FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe—were manipulated during the incident.
The stolen… https://t.co/4ec92zxoql pic.twitter.com/xuGGegfDpV
— PeckShield Inc. (@peckshield) June 10, 2024
Cyvers, an on-chain security firm, was the first to notice the exploit and promptly notified UwU Lend about the assault.
Cyvers reported via social media platform X (previously known as Twitter), 'Attention @UwU_Lend, your system is under attack! Up to this point, the breach has accounted for approximately $14 million...' As events unfolded, the total loss swiftly escalated past $20 million, marking this as one of the prominent crypto breaches of the year.
????ALERT????Hey @UwU_Lend , you are being attacked!
So far address got around $14M
More update will follow!
Get in touch with us to discover how to protect your digital investments! #CyversAlert pic.twitter.com/IND77hbTbH
— ???? Cyvers Alerts ???? (@CyversAlerts) June 10, 2024
Established in September 2022 by Michael Patryn, also recognized as 0xSifu, UwU Lend is a platform where users can deposit and borrow cryptocurrencies.
Patryn is a polarizing figure within the cryptocurrency community , primarily known for co-founding the now-shuttered QuadrigaCX exchange.
Despite its brief operational timeline, UwU Lend boasted an impressive $91 million in Total Value Locked (TVL) before the attack.
In-depth analysis by blockchain security experts Cyvers and Beosin disclosed that the perpetrator used a meticulously planned method to execute the theft.
Employing a flash loan, the hacker manipulated the price feed of UwU Lend's stablecoin, USDe, along with its synthetic variant, sUSDe.
This foul play enabled the attacker to capitalize on a crucial flaw in UwU Lend's price oracle system, allowing them to deplete the protocol's reserves.
According to Matthew Jiang, Director of Security Services at Blocksec, the core of the exploit stemmed from a poorly designed blockchain Oracle.
Oracles play an essential role in DeFi platforms , ensuring the delivery of precise pricing data to the protocol. When inadequately protected or poorly engineered, these systems become prime targets for attackers seeking to capitalize on vulnerabilities and embezzle funds.
Following the attack, UwU Lend's co-founder Michael Patryn adopted an unorthodox strategy to reclaim the pilfered funds. Known for his turbulent history within the cryptocurrency sector, Patryn communicated directly with the assailant via a blockchain message , proposing a 20% commission (around $4 million) if they returned the remaining 80% of the stolen assets.
The message also contained a cautionary note warning the hacker of relentless pursuit 'from every angle' if they failed to accept the offer by June 12 at 17:00 UTC.
While such reward propositions aren't unheard of in the crypto realm, adherence by hackers is rare. Yet, there have been occasions where perpetrators returned a segment of the stolen wealth following similar suggestions.
