- Blockbasis
- Posts
- UwuLend: Decrypting the $19.4 Million Oracle Hack
UwuLend: Decrypting the $19.4 Million Oracle Hack
Unraveling the $19.4 Million UwuLend Oracle Exploit: Delving into the Vulnerability, Suspicions Surrounding Sifu, and the Intriguing Trail of Crypto Crime Connections
Blockbasis
June 11, 2024
TL;DR
UwuLend, a lending protocol, fell victim to a $19.4 million exploit due to an oracle vulnerability despite passing a security audit. Suspicions arose around Sifu's involvement, given past associations with crypto crime scenes. Questions linger about the choice to rely on DEX prices and the identity of the shadowy figure advising exploiters.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
UwuLend, a lending protocol recently launched, suffered a significant breach, losing $19.4 million in an oracle manipulation attack.
The attack, first detected by Cyvers, involved three rapid transactions executed within six minutes. The stolen $WBTC and $DAI were quickly converted into $ETH, with the funds originating from Tornado Cash.
Approximately an hour after the breach, UwuLend confirmed the exploit and suspended operations to investigate further.
The protocol was paused a little under an hour ago while the team investigates the situation. Please rest assured that we were made aware of the situation immediately and are taking all necessary steps, doing our best here. Stay tuned for further updates.
— UwU Lend (@UwU_Lend)
1:33 PM • Jun 10, 2024
The $19.4 million in stolen assets was transferred across two Ethereum addresses in a meticulously planned operation.
This incident is particularly alarming, considering the protocol had just undergone a thorough security audit. From the perspective of UwuLend's depositors, it felt like a devastating rug pull.
The involvement of Sifu, a former CFO with a history of controversies, has intensified skepticism.
The question now is whether this could be another sophisticated deception orchestrated in the crypto world.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
UwuLend’s smart contract, a fork of AAVE V2, incorporated a modified oracle fallback logic that was exploited to borrow assets at one rate and liquidate them at an inflated rate.
Nick Franklin's root cause analysis revealed that the exploit leveraged a price discrepancy in UwuLend's oracles. The attacker utilized a flash loan to manipulate prices.
UwuLend's fallback oracle calculated asset prices based on the state of several Curve pools. By executing large trades with the borrowed tokens, the attacker manipulated these pool states.
This manipulation allowed the attacker to borrow sUSDe at a rate of 0.99 and liquidate positions at the artificially inflated rate of 1.03, capitalizing on the price difference.
The attacker, identified as 0x841ddf093f5188989fa1524e7b893de64b421f47, executed the exploit through the following transactions:
The stolen funds, amounting to $19.4 million, have been traced to two addresses:
These addresses currently hold the illicit gains, showcasing the precision and coordination involved in the exploit.
One individual who suffered significant losses is Michael Egorov, the founder of Curve, who lost over 23.5 million CRV tokens (valued at $9.85 million) deposited into UwuLend.
The attacker subsequently deposited the stolen tokens into Curve’s Llama Lend, borrowing just over 8 million crvUSD ($8.11 million).
In a positive turn, the diligent lenders of crvUSD in LlamaLend's CRV market managed to fully hard-liquidate the hacker's position by repaying the debt. This outcome highlighted the robustness of the LlamaLend platform.
The unfolding situation and its impacts are being actively discussed and analyzed in real-time on the Curve Social Telegram channel.
In response to the attack, Sifu extended an on-chain olive branch to the perpetrator, offering a 20% white hat bounty if they cooperate by June 12, 17:00 UTC. After the deadline, the bounty will instead incentivize those who can expose and help bring the attacker to justice.
Meanwhile, another individual sent an on-chain message to the hacker with instructions on how to move the funds undetected. This address has previously communicated with exploiters involved in breaches of Gala Games, PlayDapp, and Exactly Protocol.
UwuLend had been audited by Peckshield, which described the code as "well designed and engineered," noting "no high-severity or critical issues."
This raises the question: how did such a critical oracle vulnerability go unnoticed by the auditors?
The situation underscores the complexities and challenges of ensuring security in the ever-evolving landscape of blockchain technology.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
The $19.4 million exploit on UwuLend raises more questions than answers.
Despite a recent security audit, an elementary oracle vulnerability facilitated one of 2024's most perplexing thefts.
The attacker's identity remains unknown, with suspicion falling on Sifu, a figure linked to multiple crypto crime scenes. This has led to questions about UwuLend's decision to use decentralized exchange prices as a fallback oracle.
As conspiracy theories swirl, it is unclear if the UwuLend attack was merely an unfortunate security lapse or something more sinister.
The overlapping breadcrumb trail of Sifu's involvement, the unconventional oracle design, and the mysterious on-chain instructions add layers of intrigue.
Who is the shadowy figure advising the exploiters? Are there deeper, cryptic connections yet to be uncovered, or is it merely someone attempting to exploit the attacker?
The crypto community watches and waits for answers.
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.