UwU Lend, a decentralized finance (DeFi) protocol, has been targeted once again by the same hacker who orchestrated a $20 million exploit on June 10. The protocol was in the process of reimbursing users when the attacker struck again, stealing an additional $3.7 million. Cyvers, a blockchain security firm, alerted users to the ongoing exploit on Thursday, revealing that the attacker had targeted asset pools including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT.
The stolen funds were swiftly converted to ether by the hacker. The initial June 10 attack involved a flash loan attack, where the hacker exploited the price manipulation of the USDe stablecoin and its synthetic counterpart sUSDe. Following this, the UwU Lend team had paused the protocol to address the vulnerabilities, particularly in the sUSDe market oracle, and had commenced repayment of the bad debt while reimbursing users.
Despite repaying $9.7 million of the bad debt, the protocol’s recovery efforts were undermined by its treatment of the hacker’s funds from the first exploit as legitimate collateral. This oversight allowed the hacker to drain additional pools within UwU Lend. MetaTrust Labs, another Web3 security firm, noted that the hacker used 60 million sUSDe from the initial hack as collateral to execute the subsequent theft, retaining 5 million sUSDe tokens.
Michael Patryn, co-founder of the now-defunct crypto exchange QuadrigaCX and also known as “0xSifu,” initially offered a 20% bounty to the hacker in exchange for the return of 80% of the stolen funds. However, following the latest developments, Patryn has revised his approach. In a recent blockchain message, he stated, “Repayment deadline for the funds you stole has passed. Five million dollar bounty to the first person to identify and locate you, paid in ETH.”
This sequence of events highlights significant security challenges in the DeFi space, especially concerning the management of vulnerabilities and the consequences of treating maliciously acquired tokens as valid collateral.