UwU Lend Flash Loan Oracle Attack - June 10, 2024
Overview
On June 10, 2024, UwU Lend, a platform providing digital asset lending services on the EVM chain, was attacked and lost approximately US$19.3-23 million. The lending protocol was attacked first on June 10, leading to a loss of $20 million, then attacked again later that week for an additional $3.7 million.
Flash Loan Oracle Attack Mechanism
The incident was a flash loan exploit that manipulated the price oracles of sUSDe stablecoin on the platform. More specifically, five stablecoin pairs were targeted in order to influence the sUSDe price feed, or 'oracle.'
The attack exploited a vulnerability in how sUSDe prices were calculated. The sUSDE price is derived by fetching 11 different prices of the USDE token from CurveFinance and UNI V3 pools, then sorting these prices and determining the median. In this calculation logic, 5 of the USDE prices are directly obtained using the get_p function to fetch the immediate spot price from the Curve pool. This design flaw allowed the attacker to influence the median price calculation by executing large exchanges in a single transaction.
Attack Steps
1. The attacker used a flash loan to borrow a large amount of assets
2. Exchanged a portion of the borrowed USDE tokens in a Curve pool to suppress the sUSDE price
3. With the sUSDE price significantly lowered, the attacker used other base tokens to borrow a large amount of sUSDE tokens
4. The attacker then executed reverse exchanges in the Curve pool to rapidly increase the sUSDE price
5. Liquidated/profited from the manipulated positions
Protocol Response
The protocol was paused shortly after the attack, according to the official UwU Lend X account. UwU Lend began repaying users after the $23 million exploit forced it temporarily offline. As of subsequent reporting, the protocol said it had repaid about $9.7 million stolen in the first hack. Notable affected users included Curve Finance founder Michael Egorov.
Sources