DeFi
UwU Lend hacker earns extra $3.7 million in recovery plan for earlier attack – DL News
- UwU hacker Lend returns to grab another $3.7 million.
- The lending protocol was hacked on Monday using a $23 million flash loan.
UwU Lend users rejoiced on Wednesday after the lending protocol said it was able to fully reimburse victims of its recent $23 million exploit.
But their celebrations were cut short when at 7:46 a.m. London time the same hacker returned to take another $3.7 million.
This is despite UwU Lend offer hacker a 20% bounty – worth $4 million – to return user funds in a Monday hack.
According to Yaron Velner, CEO of risk management project B.Protocol, the hacker was able to extract more money from the protocol using its intended functions thanks to an oversight by its developers.
“Today’s operation did not involve any manipulation. Just malicious intent and misconfiguration on the UwU side,” he said. DL News.
This comes after UwU Lend said in a June 12 statement Message that it had identified and fixed the vulnerability in its sUSDe marketplace that the hacker had previously exploited.
“All other markets have been re-examined by industry professionals and auditors without any issues or concerns being detected,” the protocol states.
UwU Lend did not return a request for comment.
Join the community to receive our latest stories and updates
UwU Lend began refunding its users on Wednesday after the $23 million exploit temporarily took it offline.
As of 5 a.m. Thursday, the protocol said it had refunded approximately $9.7 million stolen in the first hack.
“The protocol will reimburse all bad debts, as quickly as reasonably possible,” UwU Lend said. “We are pleased to report that no user funds were lost due to this process.”
UwU loan controversial Founder Michael Patryn, better known by his pseudonym 0xSifu, previously offered to drop all charges if the hacker returned 80% of the stolen crypto, worth around $18 million.
Oracle Attack
On Monday, a hacker used a $4 billion flash loan to manipulate the price of certain tokens on UwU Lend, allowing them to dump the protocol.
A flash loan is a type of DeFi transaction in which a user borrows funds from a lending protocol and repays them in the same transaction.
Although flash loans are often used by market makers to quickly arbitrage price differences in DeFi markets, they also enable exploits that require large amounts of capital to complete.
Circuit founder Martin Derka – who co-developed a tool to detect flash loan-based exploits while working at crypto security firm Quantstamp – said such exploits were notorious in DeFi.
“These types of vulnerabilities are typically very difficult to discover during smart contract audits, because they require in-depth knowledge of multiple protocols: those being audited and those being used as oracles,” he said. DL News.
“There are also not enough automated tools capable of discovering such vulnerabilities. »
Launching in 2022, UwU Lend is a fork of Aave, the largest DeFi lending protocol with $12.4 billion in deposits.
A fork is where a team of developers uses the open source code of an existing DeFi protocol to launch a similar protocol – often on a different blockchain or with minor modifications.
But changes to Aave’s code allowed the hacker to drain UwU Lend. The protocol used easy-to-manipulate oracles – software that provided it with the prices of various tokens.
UwU Lend’s UWU token is down 15% over the past week and is trading at around $2.70.
Update, June 13: This article has been updated to include comments from B.Protocol CEO Yaron Velner, who clarified that the $3.7 million theft was not caused by a separate exploit.
Aleks Gilbert is a DeFi correspondent at DL News. Do you have any advice? Send him an email to aleks@dlnews.com.