In a continuing security breach, the decentralized finance (DeFi) platform UwU Lend experienced a hack on Monday, resulting in a loss of nearly $20 million.
UwU Lend, renowned for its involvement in decentralized finance, facilitates users in depositing and borrowing digital assets, serving as a liquidity market within the DeFi landscape. The breach, initially detected by on-chain security company Cyvers, has swiftly escalated into a significant incident impacting various digital assets.
UwU Lend Protocol Hack: Initial Discovery and Immediate Impact
Cyvers initially uncovered the exploit, alerting UwU Lend through a post on X on June 10.
The situation rapidly intensified as, within an hour, the stolen amount exceeded $20 million.
UwU Lend is now contending with the aftermath of this significant breach. The unidentified hacker successfully siphoned various assets from the protocol’s pools, converting them into Ethereum (ETH).
Meir Dolev, co-founder and chief technology officer of Cyvers, provided further insights into the incident in a report.
“The attack is still underway, but it’s evident that we’re facing a major incident that has already surpassed the $20 million mark,” he said. “We’re witnessing the draining of different assets (such as WBTC and DAI) from the pools, converted into ETH.”
Subsequent investigations revealed that the attack was enabled by the widely known crypto-mixing protocol Tornado Cash, utilized by the hacker to finance the exploit.
“The UwU lending contract was exploited by an attacker who executed three transactions in six minutes, draining approximately $20 million,” Dolev explained. “The attacker received funding from Tornado Cash two days ago.”
In response to the attack, the UwU team announced the protocol’s suspension less than an hour ago to conduct an investigation. Reassuring users, the team stated,
Rising Trend of Crypto Hacks in 2024
In a recent report by Immunefi, it was revealed that in May 2024, the cryptocurrency industry incurred losses totaling around $473.22 million from 108 separate incidents.
This amount reflects a 12% decrease compared to May 2023, when losses surpassed $59 million, and a 28% decrease month-over-month. The majority of losses in May 2024 were attributed to two major projects: Gala Games, a cryptocurrency gaming venture, which suffered a $21 million loss, and Sonne Finance, a decentralized lending platform, which faced a $20 million setback.
During this period, decentralized finance (DeFi) platforms were the primary targets for exploitation, while centralized finance (CeFi) remained untouched by significant attacks.
Hacks were the main cause of financial losses, amounting to $50,618,600 across 14 incidents, while fraud accounted for $1,753,300 from seven occurrences. Ethereum and BNB Chain emerged as the most targeted blockchains, representing 62% of the total losses.
In a related incident last month, the decentralized finance (DeFi) lending protocol Pike Finance suffered a significant security breach, resulting in a loss of $1.6 million over three days due to a smart contract vulnerability.
On April 30, an attacker exploited vulnerabilities in Pike’s Ethereum, Arbitrum, and Optimism chains, draining $1.68 million. This marked the second attack following a $300,000 exploit on April 26, both stemming from the same vulnerability that allowed the attacker to manipulate the output address and override the contract.