UwULend Oracle Price Manipulation
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
UwULend is a lending protocol which allows users to deposit, borrow, or earn rewards for providing liquidity. Unfortunately, it appears that the protocol used a different artificially inflated rate when determining liquidation of assets. This allowed an attacker to use Flash loans to drain the liquidity in a series of at least 3 attacks. The funds for the attack were sources from TornadoCash, and ultimately returned to TornadoCash, except a portion which was liquidated on Curve's Llama Lend.[1][2][3][4][5][6][7]
About UwULend
"UwU Lend is a decentralized non-custodial liquidity market protocol where users can participate as depositors, borrowers or LP stakers. Depositors provide liquidity to the market to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) fashion. LP stakers provide liquidity and receive revenue share when staking their LP tokens."
"We generate significant exposure by integrating lending markets, strategies, and vaults within a single platform." "A wide range of supported assets, including major stable coins and exotic tokens." "1-Click Loop your tokens to earn more rewards in UwU and maximize your profits." "Various strategies and vaults to choose from to maximize your returns." "100% of the revenue generated by the platform is distributed amongst platform users."
The protocol "had recently passed a robust security audit".
The Reality
"No platform can be considered entirely risk free. The potential risks to the UwU Lend platform would be smart contract risks (risk of a bug within the protocol code) and liquidation risk (risk on the collateral liquidation process). Every possible step has been taken to minimize the risks as much as possible - the protocol code has been forked from AAVE V2’s battle tested open source code and it has been audited. Any changes in code and/or new features are tested and audited before release. Additionally, there have been no exploits or security issues since launching in 2022."
"UwuLend[ was] launched by Frog Nation's former CFO Sifu".
What Happened
Än "attack, first identified by Cyvers, utilized a series of three transactions within six minutes to convert stolen $WBTC and $DAI into $ETH after being funded from Tornado Cash."
| Date | Event | Description |
|---|---|---|
| June 10th, 2024 6:05:59 AM MDT | First Attack Transaction | The first attack transaction happens on the blockchain. |
| June 10th, 2024 6:06:35 AM MDT | Second Attack Transaction | The second attack transaction happens on the blockchain. |
| June 10th, 2024 6:12:35 AM MDT | Third Attack Transaction | The third attack transaction happens on the blockchain. |
| June 10th, 2024 7:33:00 AM MDT | UwULend Tweet Acknowledging | UwULend provides an update to the community to let everyone know that they are aware of the exploit and investigating. |
| June 11th, 2024 12:06:00 AM MDT | Rekt News Update | Rekt publishes an update including linking to their analysis of the situation. Losses are listed at $19.4m. |
| June 11th, 2024 2:26:00 AM MDT | UwuLend Shares Update | UwULend shares an update on Twitter, including the assets taken and that they have reached out to the attacker. The interest rate in the protocol has been set to 0% for both borrowers and lenders. Losses are estimated at $23m. |
Technical Details
"Uwulend’s contract is a fork version of AAVE V2, but they changed the oracle fallback logic to borrow assets at one rate and liquidate them at an artificially inflated rate as seen here.
According to root cause analysis by Nick Franklin, the exploit took advantage of a price discrepancy in UwuLend's oracles.
To manipulate the price, the attacker utilized a flash loan. UwuLend's fallback oracle calculated prices based on the state of several Curve pools.
The attacker could manipulate the pool states by making large trades with the borrowed tokens.
This manipulated the price feed, allowing the attacker to borrow sUSDe at 0.99 but liquidate positions at the inflated 1.03 rate."
Total Amount Lost
Rekt: $19.4 million UwuLend: $23mm
"WETH 481.357407 ($1,704,005.85) WBTC 17.629563 ($1,191,564.34) bLUSD 499,254.38 ($592,614.95) crvUSD 233,819.07 ($233,567.96) sDAI 1,394,055.37 ($1,516,553.58) CRV 25,354,902.10 ($9,381,313.80) DAI 3,522,427.55 ($3,520,853.90) USDT 4,224,277.30 ($4,223,114.99) sUSDe 486,455.22 ($525,371.64)"
The total amount lost has been estimated at $23,000,000 USD.
Immediate Reactions
"The $19.4 million in drained capital was swiftly moved across two Ethereum addresses in a blitz strike choreographed with criminal precision."
"UwuLend acknowledged the exploit roughly an hour later, pausing the protocol while the team investigated the situation."
"The protocol was paused a little under an hour ago while the team investigates the situation. Please rest assured that we were made aware of the situation immediately and are taking all necessary steps, doing our best here. Stay tuned for further updates."
Ultimate Outcome
"Yesterday UwU Lend was the target of an exploit involving a sophisticated attack. The team reacted swiftly and the protocol was paused within minutes. Rates for borrows and deposits have been set to 0% so users’ positions will not be affected by this pause."
"We have made an offer to the hacker and are awaiting a response. The protocol will remained paused until the investigation has concluded."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
"With his history of controversies, the question on everyone's mind is, has the former Frog Nation CFO orchestrated yet another masterful deception in the crypto realm?"
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @peckshield Twitter (Jun 11, 2024)
- ↑ @UwU_Lend Twitter (Jun 11, 2024)
- ↑ @UwU_Lend Twitter (Jun 11, 2024)
- ↑ @RektHQ Twitter (Jun 11, 2024)
- ↑ Rekt - Uwulend - Rekt (Jun 11, 2024)
- ↑ @CyversAlerts Twitter (Jun 11, 2024)
- ↑ UwU Lend (Jun 11, 2024)