A significant exploit on the DeFi lending protocol UwU Lend has resulted in a loss of approximately $19.5 million, according to blockchain security firm Cyvers Alert. The attacker funded their wallet through the crypto mixer Tornado Cash.
Cyvers co-founder and CTO Meir Dolev stated that the attacker executed three transactions in six minutes, draining around $20 million from the UWU lending contract. The attacker’s wallet moved various digital assets, including wrapped Ethereum, wrapped Bitcoin, and stablecoins like USDC. The attacker has been labeled as the UwU Lend Exploiter on Etherscan.
Web3 security firm PeckShield confirmed the incident, pointing out that a price oracle issue was the root cause of the attack. UwU Lend has acknowledged the exploit and has paused its platform while taking necessary steps to address the situation.
Despite the exploit, the total value of assets locked on UwU Lend surged by 135% in the last 24 hours. The platform currently holds over 82,000 ETH, valued at $305 million, with $247 million in borrowed funds. UwU Lend was created by Michael Patryn, also known as Sifu or 0xSifu, the founder of the defunct Quadriga CX exchange. The platform allows depositors to earn passive income by providing liquidity and enables borrowers to obtain liquidity in an over-collateralized manner. Liquidity providers can also earn revenue by staking their LP tokens.
The incident has been categorized under Ethereum and Hacks.
