The UwU Lend protocol, which was hacked for nearly $20 million on June 10, is under attack again in an ongoing cryptocurrency exploit.
Onchain data analytic platform Cyvers alerted the protocol about the exploit, claiming the attackers were the same as the ones that carried out the previous $20 million exploit.
The ongoing exploit has already stolen $3.5 million from different asset pools, namely uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. All stolen assets have been converted to ETH and are located at the attacker's address: 0x841dDf093f5188989fA1524e7B893de64B421f47.
First exploit was caused by price manipulation
The latest exploit for the lending protocol occurred within three days of the $20 million exploit, and UwU started the reimbursement process earlier today, just hours before the second exploit.
The first UwU Lend exploit was caused by price manipulation. The attacker first used a flash loan to swap USDe for other tokens, which led to a lower price of $USDe and $sUSDe. The attacker then deposited some to UwU Lend and lent more $sUSDe than expected, driving the $USDe price higher.
Similarly, the attacker deposited sUSDe to UwU Lend and borrowed more CRV than expected. In the end, the attackers stole nearly $20 million in tokens through price manipulation. The exploiter then converted all the stolen funds into ETH.
UwU was in the process of reimbursing previous hack victims
The lend protocol was in the process of reimbursing hack victims and took to X to announce that they had repaid all bad debt for the $wETH market, which was 481.36 $wETH ($1,734,042). In total, the protocol reimbursed a total of $9,715,288.
UwU claimed that they had identified the vulnerability responsible for the exploit and claimed it was unique to the USDe market oracle.
The protocol noted that the vulnerability has been resolved, and all other markets have been "re-reviewed by industry professionals and auditors with no issues or concerns found."