UwU Lend, the decentralized finance (DeFi) protocol that lost $20 million in an exploit on June 10, has been attacked again by the same hacker in the midst of a reimbursement process for affected users.
Blockchain security firm Cyvers alerted users on X to the ongoing exploit on Thursday, with onchain data showing that the attacker stole a further $3.7 million from the UwU Lend protocol.
The attacker exploited uDAI, uWETH, uLUSD, uFRAX, uCRVUSD and uUSDT asset pools and has already converted the stolen funds to ether.
The June 10 exploit was carried out by way of a flash loan attack, where the attacker swapped the USDe stablecoin for other tokens, manipulating the price of USDe and sUSDe.
The UwU Lend team said on June 12 they had identified and resolved that the vulnerability was unique to the sUSDe market oracle, and had unpaused the protocol and started paying off the protocol’s bad debt and reimbursing users.
UwU Lend repaid $9.7 million worth of bad debt, but because the protocol still treated the hacker’s funds as legitimate collateral and attacker still held a significant amount of these tokens from the first exploit, the attacker was still able to drain UwU Lend’s other pools.
Web3 security firm MetaTrust Labs noted that the hacker used 60 million sUSDe from the previous hack as collateral to drain the pool, and still holds 5 million sUSDe tokens.
UwU Lend was created by collapsed crypto exchange QuadrigaCX co-founder Michael Patryn or “0xSifu,” who offered the hacker a 20% bounty in exchange for returning 80% of the stolen funds.
That offer appears to be off the table based on Sifu’s latest blockchain message to the hacker.
“Repayment deadline for the funds you stole has passed. Five million dollar bounty to the first person to identify and locate you, paid in ETH,” wrote Sifu.