UwU Lend, a decentralized finance (DeFi) platform, suffered a security exploit on June 10th, resulting in a loss of more than $18.89 million on the Ethereum blockchain. UwU Lend is a platform for cryptocurrency users to earn and borrow digital assets. Unlike traditional banks, it doesn't hold onto your funds (non-custodial). Users can participate as depositors, borrowers, or LP stakers. Depositors provide liquidity to the market to earn a passive income, while borrowers can borrow in an overcollateralized fashion. LP stakers provide liquidity and receive a revenue share when staking their LP tokens.
Following the incident, UwU Lend’s developer team acknowledged the attack, and reassured users that actions were being taken to retrieve the stolen funds.
A hacker exploited a weakness in UwU Lend's pricing system. They started by receiving a small amount of Ethereum (4.9 ETH) from Tornado Cash and creating a malicious program to execute the attack.
The attack involved a series of clever maneuvers. First, the attacker borrowed a massive amount of Ethereum (80,000 ETH) as a temporary loan (flash loan). Then, using this borrowed sum, they were able to manipulate UwU Lend's system and steal various digital assets like Bitcoin (wBTC), Ethereum (wETH), and stablecoins (DAI, FRAX, USDT, USDC).
The attacker didn't stop there. They converted these stolen assets into Ethereum using Uniswap, a popular cryptocurrency exchange. Additionally, they managed to drain a significant amount of Curve.fi USD and bLUSD tokens (worth roughly $1.5 million) in addition to the Ethereum.
The stolen funds were then shuffled around. After accumulating everything in one address (referred to as "Exploiter 1"), the attacker swapped the Curve.fi tokens for more Ethereum. Finally, they moved all the stolen funds to two other connected addresses.
Like many others, the UwU exploit stemmed from a flash loan. Flash loans, uncollateralized loans repaid within a single transaction, enable DeFi arbitrage and liquidity provision. However, attackers leverage their temporary access to large capital to manipulate markets or exploit smart contract vulnerabilities for profit. The atomic nature (entire transaction succeeds or fails) and speed of flash loan attacks make them difficult to prevent. Imagine a hacker borrowing a massive amount of crypto, manipulating an asset's price with it, and returning the loan all within one blockchain transaction. This exploitability due to impermanent capital and swift execution defines the danger of flash loans.
Mitigating flash loan attacks requires a multi-pronged approach, focusing on smart contract security and broader DeFi ecosystem improvements. Here are some key strategies: