On June 10, 2024, UwU Lend, a non-custodial liquidity market protocol, fell victim to a sophisticated multi-transaction exploit on the Ethereum mainnet, resulting in a staggering $23 million loss.

The root cause? A vulnerability in the protocol's price oracle system, which relied on the median of 11 price sources, five of which could be manipulated using Curve Finance pools, 

we take immense pride in the fact that Cyvers' state-of-the-art Security Operations Centre (SOC) was the first to detect the UwU Lend exploit in real-time. Our vigilant threat monitoring systems raised the alarm bells when the stolen amount was a mere $14 million, prompting our team to swiftly disclose the ongoing attack to the wider Web3 community. 

This proactive approach not only garnered recognition for our early detection capabilities but also played a crucial role in mitigating the risk of additional losses for investors and stakeholders in the UwU Lend protocol.

https://x.com/Cyvers_/status/1802674928950432097

‍

Let’s understand the attacker’s strategy

1. The attacker's strategy was very clever. They initiated by taking a massive $3.796 billion flash loan from various DeFi protocols, one of the largest ever borrowed for a single trade. Roughly half of these borrowed assets were used to create a leveraged position with substantial sUSDE debt.

https://x.com/CyversAlerts/status/1800139071857316328

2. The remaining assets were then strategically deployed to manipulate the price of sUSDE across the five vulnerable price sources on UwU Lend's oracle, artificially inflating its value. 
3. This rendered the attacker's leveraged position insolvent, triggering liquidations. Through calculated manoeuvres, the exploiter repeatedly liquidated their position, acquiring significant amounts of uWETH. 

4. Finally, they reversed the manipulated asset prices, repaid the flash loan, and secured their ill-gotten profits.

‍

The Aftermath and Cyvers' Early Detection

The stolen funds encompassed assets like USDT, FRAX, bLUSD, and DAI, totaling over $23 million. The attacker swiftly converted these to ETH and distributed them across two addresses under their control.

Notably, we at Cyvers, a leading provider of Web3 real-time security solutions, were the first to detect and responsibly disclose the ongoing exploit to the wider community when the stolen amount was $14 million, garnering praise for their early detection capabilities.

In the wake of the attack, the UwU Lend team acknowledged the exploit and paused the protocol. However, the attacker struck again three days later, exploiting the remaining vulnerabilities and syphoning an additional $3.72 million.

https://x.com/CyversAlerts/status/1801160124033093748

‍

Lessons Learned and Preventive Measures

The UwU Lend exploit underscores the criticality of robust Oracle security in DeFi. While using multiple price feeds appeared robust, the lack of liquidity and price smoothing in half of these feeds proved exploitable.

Furthermore, implementing monitoring systems that trigger alerts or enforce limits on unusually large transactions or flash loans could provide an additional layer of security.

‍

Conclusion

The UwU Lend exploit serves as a stark reminder that in the DeFi landscape, innovation must go hand in hand with an unwavering commitment to security. As the ecosystem continues to evolve, robust Oracle implementations, comprehensive auditing, and proactive monitoring will be paramount to safeguarding user funds and fostering trust.

‍