TL;DR#
On June 10, 2024, UwU Lend was exploited across three different transactions on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of over 5272 ETH, totaling approximately $23 million.
Introduction to UwU Lend#
UwU Lend is a decentralized, non-custodial liquidity market protocol where users can participate as depositors, borrowers, or LP stakers.
Vulnerability Assessment#
The root cause of the exploit is due to the manipulation of the price oracle.
Steps#
Step 1:
We attempt to analyze one of the attack transactions executed by the exploiter.
Step 2:
The vulnerable and exploited contract is actually a fork of AAVE v2, but the UwU protocol made some changes to the fallback oracle.
Step 3:
The attacker initially took a flash loan of roughly $3.796 billion worth of assets from AAVE V3, AAVE V2, Uniswap V3, Balancer, Maker, Spark, and Morpho. Researchers within the DeFi security community cite that this is probably one of the largest ever borrowed amounts for a particular trade.
Step 4:
Approximately half of these borrowed assets were used to create a leveraged position through recursive borrowing, in which the attacker held a huge amount of sUSDE debt.
Step 5:
The sUSDE price fetched through the sUSDePriceProviderBUniCatch contract on UwU Lend uses the median of 11 different price sources, out of which five (FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe) could be easily manipulated using CurveFinance pools. This is possible because these oracles provide the price of the assets given the current state of the pool, such as their token balance, which can be easily manipulated.
function getPrice() external view override returns (uint256) {
(uint256[] memory prices, bool uniFail) = _getPrices(true);
uint256 median = uniFail ? (prices[5] + prices[6]) / 2 : prices[5];
require(median > 0, "Median is zero");
return FullMath.mulDiv(median, sUSDeScalingFactor, 1e3);
}
function _getPrices(bool sorted) internal view returns (uint256[] memory, bool uniFail) {
uint256[] memory prices = new uint256[](11);
(prices[0], prices[1]) = _getUSDeFraxEMAInUSD();
(prices[2], prices[3]) = _getUSDeUsdcEMAInUSD();
(prices[4], prices[5]) = _getUSDeDaiEMAInUSD();
(prices[6], prices[7]) = _getCrvUsdUSDeEMAInUSD();
(prices[8], prices[9]) = _getUSDeGhoEMAInUSD();
try UNI_V3_TWAP_USDT_ORACLE.getPrice() returns (uint256 price) {
prices[10] = price;
} catch {
uniFail = true;
}
if (sorted) {
_bubbleSort(prices);
}
return (prices, uniFail);
}
Step 6:
The other half of the earlier borrowed assets were used to manipulate the price of five oracles in reference so that the price of sUSDE was deemed more expensive than usual, which made the position insolvent. On the Curve Finance oracles, the price of sUSDE while borrowing was about 0.9, but the liquidation price stood at 1.03.
Step 7:
The attacker repeatedly liquidated the position to acquire uWETH, then reversed the manipulated asset price and repaid the flash loan to complete the attack and secure their profits.
Step 8:
These are the other two attack transactions in reference, one of which yielded the attacker approximately $7.2 million, while the attacker profited by roughly $7.6 million from the other attack transactions.
Step 9:
The stolen funds include assets in USDT, FRAX, bLUSD, and DAI, all of which were swapped for ETH and then split into two different EOAs, this and this. At the time of this writing, this address, likely controlled by the attacker, has a hold of 1,282.9877 ETH, which is worth approximately $4,559,443.66. The other address has a hold of 4,010 ETH, which is worth $14,242,406.
Step 10:
According to the team, the total loss suffered by the protocol stands at $23 million, which includes 481.357407 WETH worth $1,704,005; 17.629563 WBTC worth $1,191,564; 499,254.38 bLUSD worth $592,614.95; 233,819.07 crvUSD worth $233,567.96; 1,394,055.37 sDAI worth $1,516,553.58; 25,354,902.10 CRV worth $9,381,313.80; 3,522,427.55 DAI worth $3,520,853.90; 4,224,277.30 USDT worth $4,223,114.99; and 486,455.22 sUSDe worth $525,371.64.
Step 11:
Just three days after the original exploit, on June 13, 2024, UwU Lend was exploited by the same attacker, which resulted in a further $3.72 loss for the protocol. This second exploit was not the result of the same vulnerability as the original exploit but rather a consequence of the initial attack vector.
Step 12:
The original exploiter held a significant amount of USDE tokens from the first attack. Despite the protocol reportedly being paused, USDE was still considered legitimate collateral for the protocol. This allowed the exploiter to take advantage of the remaining funds in USDE and drain other UwU lending pools.
Step 13:
The second attack drained funds from several asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. The stolen assets were converted to ETH and then sent to three different addresses, likely controlled by the attacker.
Aftermath#
The team acknowledged the occurrence of the exploit and stated that they paused their protocol to contain the damage caused by the exploit. The attacker deposited much of the stolen assets into Curve Finance-based Llama Lend Market, only to later face a hard liquidation, and their position was completely liquidated.
The team has further sent an on-chain message to the exploiter with hopes of retrieving 80% of the stolen funds in exchange for a 20% white hat bounty reward.
Solution#
To address the vulnerabilities exposed by the UwU Lend exploit, a comprehensive reassessment of the protocol's price oracle implementation is essential. The use of a median of 11 price feeds, while initially seeming robust, proved insufficient due to the low liquidity and lack of price smoothing in half of these feeds. This allowed the attacker to manipulate the prices easily. A more resilient approach would involve the exclusion of low liquidity feeds or the integration of sophisticated smoothing and weighting mechanisms that enhance the oracle's resistance to manipulation, thereby increasing the costs and efforts required for an attack.
Curve Finance, aware of the potential for manipulation in their pools, explicitly advises against using them as standalone price oracles. They incorporate certain protections, like the update of the price oracle only once per block and an exponential moving average to dampen rapid changes. However, these measures alone were not enough to prevent the manipulation seen in the UwU Lend exploit. To build on these foundational measures, protocols should consider using more robust solutions, such as those provided by ChainLink. ChainLink offers detailed methodologies for securely integrating price feeds from liquidity pools, including those based on Curve, which can significantly reduce the risk of similar exploits.
The incident also highlights the critical risks associated with DeFi protocol forks. In this case, UwU Lend was a fork of AAVE v2 but had altered the fallback oracle without fully addressing the security implications of such changes. This oversight underscores the importance of thorough security audits and stress testing, especially when protocols make substantial modifications to their codebase. These audits should not only check for direct vulnerabilities but also evaluate the broader security architecture's resilience against complex attack vectors like those involving multiple DeFi platforms.
Furthermore, the massive scale of the flash loan used in this attack—amounting to nearly $3.796 billion—should have raised immediate red flags. Protocols can implement monitoring systems that trigger alerts or enforce limits when unusually large transactions or flash loans occur. Such systems could include dynamic restrictions that adjust based on typical transaction sizes and frequencies, providing an additional layer of security without hindering normal protocol operations.
However, even with robust security measures, fully eradicating vulnerabilities remains a challenge. In these circumstances, collaboration with Neptune Mutual proves crucial. If UwU Lend had established a dedicated cover pool with us before the incident, the adverse effects of the exploit might have been greatly mitigated. Neptune Mutual specializes in offering coverage for losses stemming from smart contract vulnerabilities, using parametric policies tailored for these specific risks.
Partnering with Neptune Mutual simplifies the compensation process for users by reducing the requirement for extensive proof of loss documentation. Once an incident is confirmed and conclusively resolved through our detailed incident resolution protocol, we promptly turn our attention to delivering financial support to those impacted. This approach ensures that users affected by such security breaches receive timely assistance.
Our marketplace operates on multiple major blockchain networks, including Ethereum, Arbitrum, and the BNB chain, catering to a broad spectrum of DeFi users. This extensive reach enhances our capability to protect against a variety of vulnerabilities, thereby bolstering the overall security of our comprehensive client base.
Reference Source PeckShield
