Analysis of the UwU Lend Hack

SlowMist
5 min readJun 11, 2024

--

Background

On June 10, 2024, the SlowMist MistEye security monitoring system detected a $19.3M attack on UwU Lend, a platform providing digital asset lending services on the EVM chain. Here’s what we found:

https://x.com/SlowMist_Team/status/1800181916857155761

Relevant Information

- Attacker Address:

  • 0x841ddf093f5188989fa1524e7b893de64b421f47

- Vulnerable Contract Address:

  • 0x9bc6333081266e55d88942e277fc809b485698b9

- Attack Transactions:

  • 0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3
  • 0xb3f067618ce54bc26a960b660cfc28f9ea0315e2e9a1a855ede1508eb4017376
  • 0x242a0fb4fde9de0dc2fd42e8db743cbc197ffa2bf6a036ba0bba303df296408b

Cause of the Attack

The core of this attack lies in the attacker’s ability to manipulate the price oracle by executing large exchanges in the CurveFinance pool. This manipulation affected the price of the sUSDE token, allowing the attacker to exploit the manipulated price to drain other assets from the pool.

Attack Process

1. Flash Loan and Price Suppression:

- The attacker used a flash loan to borrow a large amount of assets, then exchanged a portion of the borrowed USDE tokens in a Curve pool to suppress the sUSDE price.

2. Creating Borrowing Positions:

- With the sUSDE price significantly lowered, the attacker used other base tokens to borrow a large amount of sUSDE tokens.

3. Price Manipulation and Increase:

- The attacker then executed reverse exchanges in the Curve pool to rapidly increase the sUSDE price.

4. Liquidating Borrowing Positions:

- With the sUSDE price inflated, the attacker liquidated previous borrowing positions to obtain uWETH.

5. Borrowing More Base Tokens:

- Finally, the attacker deposited the high-priced sUSDE again to borrow more base tokens for profit.

It is evident that the attacker primarily manipulated the sUSDE price repeatedly to profit by borrowing heavily when the price was low and liquidating and re-collateralizing when the price was high. We examined the oracle contract sUSDePriceProviderBUniCatch responsible for calculating the sUSDE price:

The sUSDE price is derived by fetching 11 different prices of the USDE token from CurveFinance and UNI V3 pools, then sorting these prices and determining the median.

In this calculation logic, 5 of the USDE prices are directly obtained using the get_p function to fetch the immediate spot price from the Curve pool. This design flaw allowed the attacker to influence the median price calculation by executing large exchanges in a single transaction.

MistTrack Analysis

According to the MistTrack analysis, the attacker 0x841ddf093f5188989fa1524e7b893de64b421f47 profited approximately $19.3 million from the attack, including ETH, crvUSD, bLUSD, and USDC, all of which were converted to ETH.

- The attacker’s initial funds of 0.98 ETH originated from Tornado Cash, followed by five more transfers from Tornado Cash.

- The attacker transferred 1,292.98 ETH to the address 0x48d7c1dd4214b41eda3301bca434348f8d1c5eb6, leaving a balance of 1,282.98 ETH.

- Another 4,000 ETH was transferred to the address 0x050c7e9c62bf991841827f37745ddadb563feb70, with a current balance of 4,010 ETH.

MistTrack has blacklisted the relevant addresses and will continue to monitor the movement of the stolen funds.

Conclusion

The attack exploited a vulnerability in the price oracle, where the direct use of real-time spot prices and median price calculations allowed the attacker to manipulate the sUSDE price. The SlowMist security team recommends enhancing the anti-manipulation capabilities of price oracles and designing more secure oracle feeding mechanisms to prevent similar incidents in the future.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Responses (1)