Scan to download
Home
Article
Flash
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools
DeInsight 2024

Slow Fog: UwU Lend Hacked Analysis

Slow Fog Security Team
2024-06-12 09:50:17
Collection
Analysis of UwU Lend Being Hacked

Author: Doris, @SlowMist Security Team

Background

On June 10, 2024, according to the MistEye security monitoring system, the platform UwU Lend, which provides digital asset lending services on the EVM chain, was attacked, resulting in a loss of approximately $19.3 million. The SlowMist security team conducted an analysis of the incident and shares the results as follows:

Image

( https :// x . com / SlowMist _ Team / status /1800181916857155761)

Relevant Information

Attacker address:

0x841ddf093f5188989fa1524e7b893de64b421f47

Vulnerable contract address:

0x9bc6333081266e55d88942e277fc809b485698b9
Attack transactions:
0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3

0xb3f067618ce54bc26a960b660fc28f9ea0315e2e9a1a855ede508eb4017376

0x242a0fb4fde9de0dc2fd42e8db743cbc197fa2bf6a036ba0bba303df296408b

Core of the Attack

The core of this attack lies in the fact that the attacker could manipulate the price oracle directly by making large exchanges in the CurveFinance pool, affecting the price of the sUSDE token, and profiting from the manipulated price by extracting other assets from the pool.

Attack Process

1. Flash loan to drive down the price of USDE: The attacker first borrowed a large amount of assets through a flash loan and exchanged part of the borrowed USDE tokens for other tokens in the Curve pool that could influence the sUSDE price.

Image

2. Create a large number of lending positions: With the current sharp drop in sUSDE price, the attacker borrowed a large amount of sUSDE tokens by depositing other underlying tokens.

Image

3. Manipulate the oracle to raise the price of sUSDE: By performing reverse exchange operations in the previous Curve pool, the price of sUSDE was quickly raised.

Image

4. Liquidate debt positions in large amounts: Due to the rapid increase in the price of sUSDE, the attacker could liquidate a large number of previously borrowed positions to obtain uWETH.

Image

5. Deposit remaining sUSDE and borrow other underlying tokens in the contract: The attacker deposited the currently high-priced sUSDE again to borrow more underlying asset tokens for profit.

Image

It is evident that the attacker mainly profited by repeatedly manipulating the price of sUSDE, borrowing large amounts at low prices, and liquidating and re-mortgaging at high prices. We followed up on the oracle contract sUSDePriceProviderBUniCatch that calculates the sUSDE price:

Image

It can be seen that the price of sUSDE is determined by obtaining different prices for 11 USDE tokens from the CurveFinance USDE pool and the UNI V3 pool, and then sorting these prices and calculating the median.

In the calculation logic here, 5 of the USDE prices are directly obtained using the get_p function to fetch the real-time spot price from the Curve pool, which allowed the attacker to directly influence the median price calculation result through large exchanges in a single transaction.

Image

MistTrack Analysis

According to the on-chain tracking tool MistTrack, the attacker 0x841ddf093f5188989fa1524e7b893de64b421f47 profited approximately $19.3 million in this attack, including assets such as ETH, crvUSD, bLUSD, and USDC, which were subsequently converted to ETH.

Image

By tracing the transaction fees of the attacker's address, it was found that the initial funds in this address came from a Tornado Cash transfer of 0.98 ETH, and the address subsequently received 5 transfers from Tornado Cash.

Image

Expanding the transaction graph reveals that the attacker transferred 1,292.98 ETH to the address 0x48d7c1dd4214b41eda3301bca434348f8d1c5eb6, which currently has a balance of 1,282.98 ETH; the attacker transferred the remaining 4,000 ETH to the address 0x050c7e9c62bf991841827f37745ddadb563feb70, which currently has a balance of 4,010 ETH.

Image

MistTrack has blacklisted the relevant addresses and will continue to monitor the transfer dynamics of the stolen funds.

Conclusion

The core of this attack lies in the attacker exploiting the compatibility flaws in directly obtaining real-time prices from the price oracle and calculating the median price to manipulate the price of sUSDE, thereby engaging in lending and liquidation under the influence of severe price discrepancies to obtain unexpected profits. The SlowMist security team recommends that project parties enhance the anti-manipulation capabilities of price oracles and design a more secure oracle feeding mechanism to prevent similar incidents from occurring again.

Related tags
UwU Lend Slow Mist Security Team digital asset lending services attack CurveFinance sUSDE price oracle Tornado Cash
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
Slow Fog Security Team
Slow Fog Security Team
November Web3 Security Incident Review: Total Loss Approximately $86.24 Million
November Web3 Security Incident Review: Total Loss Approximately $86.24 Million
July Web3 Security Incident Review: Total Loss Approximately $279 Million
July Web3 Security Incident Review: Total Loss Approximately $279 Million
Related tags
UwU Lend Slow Mist Security Team digital asset lending services attack CurveFinance sUSDE price oracle Tornado Cash
Related reading
Southeast Asia On-chain Capital Flow and Risk Analysis Report
Southeast Asia On-chain Capital Flow and Risk Analysis Report
Web3 Legal Education: What to Do If You Lose Money by Entrusting Others to Invest in Cryptocurrency?
Web3 Legal Education: What to Do If You Lose Money by Entrusting Others to Invest in Cryptocurrency?
Overview of On-Chain Security Layer GoPlus Plugin: Protecting Every On-Chain Transaction, an Essential Security Tool for Cryptocurrency Traders?
Overview of On-Chain Security Layer GoPlus Plugin: Protecting Every On-Chain Transaction, an Essential Security Tool for Cryptocurrency Traders?
Is the crypto privacy sector迎利好? The Tornado Cash sanctions case has been overturned, but the developers still face criminal charges
Is the crypto privacy sector迎利好? The Tornado Cash sanctions case has been overturned, but the developers still face criminal charges
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app