In a devastating one-two punch that rocked the DeFi community, UwU Lend suffered a major flash loan exploit resulting in approximately $23.7 million in losses across two separate attacks in June 2024.
The attacker leveraged a sophisticated oracle price manipulation strategy, executing flash loans potentially worth up to $4 billion to artificially inflate collateral values across multiple liquidity pools.
Flash loans worth billions temporarily inflated pool values, creating phantom collateral in a digital sleight-of-hand attack.
The exploit targeted the sUSDe price oracle, which calculated asset values by averaging prices from several pools including FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe.
Think of it like temporarily flooding a small pond with water to make it seem deeper than it actually is—the attacker manipulated market prices just long enough to trick the system into overvaluing their collateral.
This incident highlights how blockchain oracles serve as critical bridges between smart contracts and external data sources, making them attractive targets for exploitation.
Following the initial $20 million heist on June 10, UwU Lend immediately paused operations and set borrow and deposit rates to zero to protect remaining user positions.
After what they believed was successful vulnerability remediation, the protocol confidently reopened on June 12—only to suffer a second exploit hours later that drained an additional $3.5-$3.7 million.
In both attacks, the exploiter—whose initial funding was traced back to Tornado Cash—systematically targeted multiple asset pools including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT.
All stolen assets were swiftly converted to ETH, presumably to facilitate easier laundering.
The UwU Lend founder extended an olive branch to the attacker, offering a 20% white-hat bounty (approximately $4 million) for returning the funds, with a promise of no law enforcement involvement if they complied.
Meanwhile, the protocol team engaged security professionals to review the codebase and has begun repaying bad debt for Tether, DAI, and crvUSD.
The attack had ripple effects across the crypto ecosystem, even causing the Curve (CRV) token price to experience a significant drop in the aftermath.
The attack highlights the persistent vulnerabilities in DeFi oracle systems, where even momentary price manipulations can lead to catastrophic losses.
Despite affecting multiple asset pools, some markets including SIFU, VOLTA, and FRAX reportedly remained untouched by the exploit.
After the team attempted to reach out to the hacker following the first attack, they received no response whatsoever and were forced to proceed with their recovery plans independently.
