Ethereum-based Lending Protocol Uwulend Suffers $20 Million Exploit

The attack involved three transactions that converted Wrapped Bitcoin and DAI into ETH.

By: Pedro Solimano Loading...

stylized digital symbols and broken chains glowing in neon colors

Ethereum-based lending protocol Uwulend has been exploited to the tune of $20 million.

Cyvers Alerts detected the malicious behavior early Monday morning. An attacker executed three transactions that converted WBTC and DAI into Ether.

The Uwulend team informed their users via X that the platform has been paused while they investigate the situation.

The wallet address linked to the Uwulend exploiter holds a whopping 1,282 ETH or $4.7 million.

Notably, the UWU token didn’t react violently to the news. UWU dropped 3% to $2.91, which only adds to its overall downtrend. Over the past year, the token has shed 80% of its value and showcases a $26 million market capitalization, as per data from CoinGecko.

UWU Price chart
UWU Price

Cyvers Alerts team members told The Defiant that the attacker funded today’s exploit with assets withdrawn from cryptocurrency mixer Tornado Cash two days ago.

They also explained that the hack took place due to an issue with a price oracle across five different tokens. “Specifically, the sUSDe asset's value is determined using a median from several sources,” Cyvers Alerts said. During the hack, five of these sources—FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe were manipulated.

Uwulend touts itself as a decentralized non-custodial liquidity market protocol, and its website shows that the protocol has generated more than $9.3 million in fees. According to DefiLlama, it has $66 million in total value locked (TVL), which represents a near 50% drop from its late April peak of $115 million.

The protocol was created by Sifu, the controversial co-founder of the now-defunct crypto exchange QuadrigaX. QuadrigaX is a Canadian company that went under in 2019 after mysteriously losing $190 million in customer funds.

Sifu is yet to make any public announcement regarding Uwulend’s exploit.