Decentralized lending protocol UwU Lend has been hit by a second exploit in the span of just three days, with attackers extracting an additional $3.7 million from the platform on June 13, 2024. The breach comes as the protocol was actively working to reimburse users affected by the initial $19.3 million hack that occurred on June 10, raising serious questions about the security posture of DeFi platforms built on forked codebases.
The Exploit Mechanics
On-chain analytics platform Cyvers was the first to detect the ongoing attack, alerting the UwU Lend team that the same attacker responsible for the June 10 breach had returned for a second round. The attacker drained funds from multiple asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. All stolen assets were rapidly converted to Ethereum and transferred to the attacker’s known address.
The root cause of both attacks traces back to a vulnerability in the sUSDe market oracle. The initial June 10 attack exploited an improperly designed price oracle that calculated the value of Ethena Staked USD (sUSDe) by averaging prices derived from multiple liquidity pools. Using large flash loans, the attacker was able to manipulate prices in four of these pools simultaneously, causing the oracle to report artificially inflated values. This manipulation allowed the attacker to borrow approximately $19.3 million more than the collateral justified, effectively draining the protocol’s liquidity.
While the UwU Lend team claimed on June 12 that they had identified and patched the sUSDe oracle vulnerability, the attacker found a way to exploit residual weaknesses in the protocol’s defense. The fact that the same attacker returned successfully indicates that the initial patch was incomplete, and that the protocol’s pause and recovery procedures did not fully address the attack vector.
Affected Systems
UwU Lend is a decentralized non-custodial liquidity market protocol that functions as a fork of Aave v2. Founded in September 2022 by Michael Patryn, also known as “0xSifu,” the protocol had amassed approximately $91 million in Total Value Locked (TVL) before the first exploit on June 10. The platform offers lending, borrowing, and staking services, with a revenue-sharing token called UwU that distributes a portion of protocol fees to holders.
The combined damage from both attacks totals approximately $23 million. Following the first attack, the protocol was temporarily paused and independent audits were commissioned for all remaining markets. The team reported that no additional issues were discovered during these audits, though the second attack proved this assurance premature. By June 13, the team had successfully reimbursed $9,715,288 to affected users, comprising 3,522,427 DAI, 233,819 crvUSD, 4,225,000 USDT, and 481.36 wETH (valued at $1,734,042).
Patryn’s controversial background adds another layer of scrutiny to the incident. As the co-founder of the collapsed Canadian crypto exchange QuadrigaCX, Patryn previously served as treasurer of Wonderland DAO under the pseudonym “Sifu” before being ousted after his identity was revealed by blockchain investigator ZachXBT. Following the first hack, Patryn sent an on-chain message to the attacker offering a 20% bounty in exchange for returning 80% of the stolen funds, with a deadline of June 12.
The Mitigation Strategy
The UwU Lend team’s response to the dual exploits highlights both the strengths and weaknesses of DeFi incident response. After the first attack, the protocol was paused and the team identified the sUSDe oracle as the vulnerable component. Independent security professionals and auditors reviewed all other markets. However, the failure to prevent the second attack suggests that the patch was applied reactively rather than comprehensively.
In an interesting development, the attacker from the first breach deposited much of the stolen funds into Curve Finance’s Llama Lend protocol, using it to borrow crvUSD. Curve Finance lenders subsequently managed to hard-liquidate the hacker’s position. Curve Finance described this as an “unprecedented and unplanned test of LlamaLend resiliency,” noting that the system worked as designed under extreme conditions.
For the broader DeFi ecosystem, the incident underscores the critical importance of robust oracle design. Price oracles that rely on decentralized exchange liquidity pools as their primary data source remain vulnerable to flash loan manipulation, particularly when the oracle averages prices across a small number of pools that can be simultaneously influenced by a well-capitalized attacker.
Lessons Learned
The UwU Lend double exploit provides several critical lessons for the DeFi community. First, protocol forks inherit the security assumptions of their parent codebase but must independently verify all integrations, especially custom oracle implementations. UwU Lend forked Aave v2 but added its own sUSDe oracle, which became the attack surface. Second, a single patch is rarely sufficient after a major exploit. The attacker had already demonstrated sophisticated understanding of the vulnerability, and returning to the same protocol within 72 hours suggests that the attacker had identified multiple exploitation paths.
Third, the incident highlights the risk of relying on TVL as a measure of protocol health. Despite $91 million in locked value, the oracle vulnerability allowed a single attacker to extract nearly a quarter of the protocol’s assets. Finally, the recovery efforts demonstrate that transparent communication and rapid reimbursement can partially mitigate reputational damage, though the second exploit significantly undermined the team’s credibility regarding their security posture.
User Action Required
Users who had funds deposited in UwU Lend should verify whether their assets were affected by either exploit. The protocol has committed to repaying all bad debt as quickly as possible, but users should monitor official UwU Lend communications for updates on the reimbursement timeline. Given the double exploit, users should exercise extreme caution before re-depositing funds. Any interaction with the protocol should be preceded by a thorough review of the team’s updated security audit reports. For DeFi users more broadly, this incident serves as a reminder to diversify across protocols and never deposit more than you can afford to lose in a single platform, regardless of its TVL or apparent security posture. With Bitcoin trading at approximately $66,756 and Ethereum at $3,469 at the time of the second exploit, the broader market downturn added additional pressure on DeFi protocols with leveraged positions.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
same attacker came back 3 days later and nobody thought to pause the contracts? wild
$3.7M on top of $19.3M and they were supposedly actively working to reimburse lol sure
working on reimbursement while the same attacker drains another $3.7M is beyond parody. how do you not pause everything after a $19M hack
nobody paused the contracts because the team was probably asleep. first attack was june 10, second was june 13. over a weekend. classic DeFi security theater
sUSDe oracle was the weak link in both attacks. averaging prices from liquidity pools is just asking for flash loan manipulation
averaging LP prices for oracle feeds is a known anti-pattern since the Mango Markets exploit. same playbook: flash loan, manipulate thin LP, profit. protocols keep repeating the same mistake