On June 10, 2024, UwU Lend was attacked and the project owner lost approximately US$19.3 million.

SharkTeam conducted a technical analysis of the incident and summarized security precautions at the first opportunity, hoping that subsequent projects can learn from it and jointly build a security line of defense for the blockchain industry.

1. Analysis of attack transactions

Attacker: 0x841dDf093f5188989fA1524e7B893de64B421f47

The attacker initiated a total of 3 attack transactions:

Attack Transaction 1:

0x242a0fb4fde9de0dc2fd42e8db743cbc197ffa2bf6a036ba0bba303df296408b

Attack Transaction 2:

0xb3f067618ce54bc26a960b660cfc28f9ea0315e2e9a1a855ede1508eb4017376

Attack Transaction 3:

0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3

Take attack transaction 1 as an example for analysis:

Attack contract: 0x21c58d8f816578b1193aef4683e8c64405a4312e

Target contract: UwU Lend Treasury contract, including:

uSUSDE:0xf1293141fc6ab23b2a0143acc196e3429e0b67a6

uDAI:0xb95bd0793bcc5524af358ffaae3e38c3903c7626

uUSDT:0x24959f75d7bda1884f1ec9861f644821ce233c7d

The attack process is as follows:

1. Flash loan multiple tokens from different platforms, including WETH, WBTC, sUSDe, USDe, DAI, FRAX, USDC, GHO

The token receiving address is 0x4fea76b66db8b548842349dc01c85278da3925da

The tokens and quantities of flash loans are as follows:

Flash loan 159,053.16 WETH and 14,800 WBTC from Aave V3

Flash loan 40,000 WETH from Aave V2

Flash loan 91,075.70 WETH and 4,979.79 WBTC from Spark

Flash loan 301,738,880.01 sUSDe, 236,934,023.17 USDe and 100,786,052.15 DAI from Morpho

Flash loan 60,000,000 FRAX and 15,000,000 USDC from Uniswap V3: FRAX-USDC

Flash loan 4,627,557.47 GHO and 38,413.34 WETH from Balancer

Flash loan 500,000,000 DAI from Maker

A total of approximately 328,542.2 WETH, 19779.79 WBTC, 600786052.15 DAI, 301,738,880.01 sUSDe, 236,934,023.17 USDe, 4,627,557.47 GHO, 60,000,000 FRAX, 15,000,000 USDC

2. Transfer the flash loan token to the contract 0xf19d66e82ffe8e203b30df9e81359f8a201517ad (abbreviated as 0x f 19 d) in preparation for launching an attack.

3. Control the price of sUSDe (lower the price) by exchanging tokens

(1)USDecrvUSD.exchange

Convert 8, 676, 504.84 USDe to 8, 730, 453.49 crvUSD. The amount of USDe in USDecrvUSD increases, the price decreases, and the amount of crvUSD decreases, the price increases.

(2)USDeDAI.exchange

Convert 46,452,158.05 USDe to 14,389,460.59 DAI. The amount of USDe in USDeDAI increases, the price decreases, and the amount of DAI decreases, the price increases.

(3)FRAXUSDe.exchange

Convert 14,477,791.69 USDe to 46,309,490.86 FRAX. The amount of USDe in USDeDAI increases, the price decreases, and the amount of FRAX decreases, the price increases.

(4)GHOUSDe.exchange

Convert 4,925,427.20 USDe to 4,825,479.07 GHO. The amount of USDe in USDeDAI increases, the price decreases, and the amount of GHO decreases, the price increases.

(5)USDeUSDC.exchange

Convert 14,886,912.83 USDe to 14,711,447.94 USDC. The amount of USDe in USDDeDAI increases, the price decreases, the amount of USDC decreases, the price increases.

After the above exchange, the USDe prices in the 5 funding pools decreased, which eventually led to a sharp drop in the sUSDe price.

4. Continue to create lending positions, that is, deposit other assets (WETH, WBTC and DAI) into the LendingPool contract, and then borrow sUSDe. Because the price of sUSDe has plummeted, the amount of sUSDe borrowed is much more than before the price plummeted.

5. Similar to step 3, the reverse operation will increase the price of sUSDe.

As sUSDe was pushed up, the value of the borrowed position in step 4 exceeded the collateral value and reached the liquidation standard.

6. Liquidate loan positions in batches and receive liquidation rewards uWETH

7. Repay the loan and withdraw the underlying assets WETH, WBTC, DAI and sUSDe.

8. Deposit sUSDe into LendingPool again. At this time, the price of sUSDe is raised, so more other assets can be loaned out, including DAI and USDT.

9. Exchange tokens and repay flash loans. Final profit 1, 946.89 ETH

2. Vulnerability Analysis

Through the above analysis, it is found that there are a large number of flash loans and multiple manipulations of the sUSDe price during the entire attack process. When sUSDe is pledged, the amount of borrowed assets will be affected; when sUSDe is lent, the borrowing rate will be affected, and then the liquidation coefficient (health factor) will be affected.

The attacker took advantage of this and used flash loans to lower the price of sUSDe, pledged other assets, borrowed a large amount of sUSDe, and then raised the price of sUSDe, liquidated the pledged assets for profit, and used the remaining sUSDe to pledge other assets. Finally, he repaid the flash loan and the attack was complete.

From step 3 above, we can see that the attacker manipulated the price of sUSDe by controlling the price of USDe in five trading pools of Curve Finance: USDe/rvUSD, USDe/AI, FRAX/SDe, GHO/SDe and USDe/SDC. The price reading function is as follows:

Among them, the sUSDe price is calculated from 11 prices, the first 10 of which are read from CurveFinance, and the last one is provided by Uniswap V3.

The prices read from CurveFinance are provided by five trading pools: USDe/rvUSD, USDe/AI, FRAX/SDe, GHO/SDe and USD/SDC, which are also the five trading pools manipulated by the attacker in the attack transactions.

The returned price is calculated by the price read by uwuOracle, price_oracle( 0) and get_p( 0) in the CurveFinance trading pool contract.

(1) Price is the price provided by Chainlink and cannot be manipulated;

(2) Trading pool parameters

The attacker manipulates the return value of get_p( 0) by manipulating the number of tokens in the trading pool, thereby manipulating the price.

3. Safety Recommendations

In response to this attack, the following precautions should be followed during development:

(1) To address the price manipulation vulnerability, an off-chain price oracle can be used to prevent price manipulation.

(2) Before the project goes online, a third-party professional auditing company needs to conduct a smart contract audit.

About Us

SharkTeam's vision is to protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world, who are proficient in the underlying theories of blockchain and smart contracts. It provides services including risk identification and blocking, smart contract auditing, KYT/AML, on-chain analysis, and has created an on-chain intelligent risk identification and blocking platform ChainAegis, which can effectively combat the advanced persistent threats (APT) in the Web3 world. It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, polygon, Sui, OKX, imToken, Collab.Land, TinTinLand, etc.

Official website: https://www.sharkteam.org

Twitter:https://twitter.com/sharkteamorg

Telegram:https://t.me/sharkteamorg

Discord:https://discord.gg/jGH9xXCjDZ