Understanding the UwU Lend Exploit

TL;DR

On June 10, 2024, UwU Lend was exploited across three different transactions on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of over 5272 ETH, totaling approximately $23 million.

Introduction to UwU Lend

UwU Lend is a decentralized, non-custodial liquidity market protocol where users can participate as depositors, borrowers, or LP stakers.

Vulnerability Assessment

The root cause of the exploit is due to the manipulation of the price oracle.

Steps

Step 1:

We attempt to analyze one of the attack transaction executed by the exploiter.

Step 2:

The vulnerable and exploited contract is actually a fork of AAVE v2, but the UwU protocol made some changes to the fallback oracle.

Step 3:

The attacker initially took a flash loan of roughly $3.796 billion worth of assets from AAVE V3, AAVE V2, Uniswap V3, Balancer, Maker, Spark, and Morpho. Researchers within the DeFi security community cite that this is probably one of the largest ever borrowed amounts for a particular trade.

Step 4:

Approximately half of these borrowed assets were used to create a leveraged position through recursive borrowing, in which the attacker held a huge amount of sUSDE debt.

Step 5:

The sUSDE price fetched through the sUSDePriceProviderBUniCatch contract on UwU Lend uses the median of 11 different price sources, out of which five (FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe) could be easily manipulated using CurveFinance pools. This is possible because these oracles provide the price of the assets given the current state of the pool, such as their token balance, which can be easily manipulated.

function getPrice() external view override returns (uint256) {
  (uint256[] memory prices, bool uniFail) = _getPrices(true);

  uint256 median = uniFail ? (prices[5] + prices[6]) / 2 : prices[5];

  require(median > 0, "Median is zero");

  return FullMath.mulDiv(median, sUSDeScalingFactor, 1e3);
}
function _getPrices(bool sorted) internal view returns (uint256[] memory, bool uniFail) {
  uint256[] memory prices = new uint256[](11);
  (prices[0], prices[1]) = _getUSDeFraxEMAInUSD();
  (prices[2], prices[3]) = _getUSDeUsdcEMAInUSD();
  (prices[4], prices[5]) = _getUSDeDaiEMAInUSD();
  (prices[6], prices[7]) = _getCrvUsdUSDeEMAInUSD();
  (prices[8], prices[9]) = _getUSDeGhoEMAInUSD();
  try UNI_V3_TWAP_USDT_ORACLE.getPrice() returns (uint256 price) {
    prices[10] = price;
  } catch {
    uniFail = true;
  }

  if (sorted) {
    _bubbleSort(prices);
  }

  return (prices, uniFail);
}

Step 6:

The other half of the earlier borrowed assets were used to manipulate the price of five oracles in reference so that the price of sUSDE was deemed more expensive than usual, which made the position insolvent. On the Curve Finance oracles, the price of sUSDE while borrowing was about 0.9, but the liquidation price stood at 1.03.

Step 7:

The attacker repeatedly liquidated the position to acquire uWETH, then reversed the manipulated asset price and repaid the flash loan to complete the attack and secure their profits.

Step 8:

These are the other two attack transactions in reference, one of which yielded the attacker approximately $7.2 million, while the attacker profited by roughly $7.6 million from the other attack transactions.

Step 9:

The stolen funds include assets in USDT, FRAX, bLUSD, and DAI, all of which were swapped for ETH and then split into two different EOAs, this and this. At the time of this writing, this address, likely controlled by the attacker, has a hold of 1,282.9877 ETH, which is worth approximately $4,559,443.66. The other address has a hold of 4,010 ETH, which is worth $14,242,406.

Step 10:

According to the team, the total loss suffered by the protocol stands at $23 million, which includes 481.357407 WETH worth $1,704,005; 17.629563 WBTC worth $1,191,564; 499,254.38 bLUSD worth $592,614.95; 233,819.07 crvUSD worth $233,567.96; 1,394,055.37 sDAI worth $1,516,553.58; 25,354,902.10 CRV worth $9,381,313.80; 3,522,427.55 DAI worth $3,520,853.90; 4,224,277.30 USDT worth $4,223,114.99; and 486,455.22 sUSDe worth $525,371.64.

Aftermath

The team acknowledged the occurrence of the exploit and stated that they paused their protocol to contain the damage caused by the exploit. The attacker deposited much of the stolen assets into Curve Finance-based Llama Lend Market, only to later face a hard liquidation, and their position was completely liquidated.

The team has further sent an on-chain message to the exploiter with hopes of retrieving 80% of the stolen funds in exchange for a 20% white hat bounty reward.

Solution

To address the vulnerabilities exposed by the UwU Lend exploit, a comprehensive reassessment of the protocol’s price oracle implementation is essential. The use of a median of 11 price feeds, while initially seeming robust, proved insufficient due to the low liquidity and lack of price smoothing in half of these feeds. This allowed the attacker to manipulate the prices easily. A more resilient approach would involve the exclusion of low liquidity feeds or the integration of sophisticated smoothing and weighting mechanisms that enhance the oracle’s resistance to manipulation, thereby increasing the costs and efforts required for an attack.

Curve Finance, aware of the potential for manipulation in their pools, explicitly advises against using them as standalone price oracles. They incorporate certain protections, like the update of the price oracle only once per block and an exponential moving average to dampen rapid changes. However, these measures alone were not enough to prevent the manipulation seen in the UwU Lend exploit. To build on these foundational measures, protocols should consider using more robust solutions, such as those provided by ChainLink. ChainLink offers detailed methodologies for securely integrating price feeds from liquidity pools, including those based on Curve, which can significantly reduce the risk of similar exploits.

The incident also highlights the critical risks associated with DeFi protocol forks. In this case, UwU Lend was a fork of AAVE v2 but had altered the fallback oracle without fully addressing the security implications of such changes. This oversight underscores the importance of thorough security audits and stress testing, especially when protocols make substantial modifications to their codebase. These audits should not only check for direct vulnerabilities but also evaluate the broader security architecture’s resilience against complex attack vectors like those involving multiple DeFi platforms.

Furthermore, the massive scale of the flash loan used in this attack — amounting to nearly $3.796 billion — should have raised immediate red flags. Protocols can implement monitoring systems that trigger alerts or enforce limits when unusually large transactions or flash loans occur. Such systems could include dynamic restrictions that adjust based on typical transaction sizes and frequencies, providing an additional layer of security without hindering normal protocol operations.

This article was originally published by Pukar Acharya for Neptune Mutual.




    Enjoy Reading This Article?

    Here are some more articles you might like to read next:

  • Unlocking the Power of Uniswap V4 Hooks
  • Preprocessing Unstructured Data for LLM Applications
  • Fine-Tuning Large Language Models
  • Guide to LangChain for LLM Development
  • The Art of ChatGPT Prompt Engineering