UwU Lend users rejoiced on Wednesday after the lending protocol said it was able to fully reimburse victims of its recent $23 million exploit.

But their celebrations were cut short when at 7:46 am London time, the same hacker returned to take another $3.7 million.

🚹SlowMist Security Alert🚹

We have detected that @UwU_Lend has suffered another loss of $3.72M.https://t.co/ttLSq0m18u

As always, stay vigilant! pic.twitter.com/6tz2e5NDwx

— SlowMist (@SlowMist_Team) June 13, 2024

That’s despite UwU Lend offering the hacker a 20% bounty — worth $4 million — to return users’ funds from the first hack.

The second hack comes after UwU Lend said in a June 12 X post that it had identified and fixed the vulnerability in its sUSDe market that the hacker previously exploited.

“All other markets have been re-reviewed by industry professionals and auditors with no issues or concerns found,” the protocol said.

UwU Lend did not return a request for comment.

UwU Lend began repaying users on Wednesday after the $23 million exploit forced it temporarily offline.

As of 5 am on Thursday, the protocol said it had repaid about $9.7 million stolen in the first hack.

“The protocol will repay all bad debt, as quickly as reasonably possible,” UwU Lend said. “We are happy to announce that no user funds have been lost due to this process.”

UwU Lend’s controversial founder Michael Patryn, better known by his pseudonym 0xSifu, had previously offered to drop any charges if the hacker returned 80% of the stolen crypto, worth about $18 million.

Oracle attack

On Monday, a hacker used a $4 billion flash loan to manipulate the price of certain tokens on UwU Lend, which allowed them to drain the protocol.

A flash loan is a type of DeFi transaction where a user borrows funds from a lending protocol and repays them in the same transaction.

While flash loans are often used by market makers to quickly arbitrage price differences in DeFi markets, they also make possible exploits that require large amounts of capital to perform.

Circuit founder Martin Derka — who co-developed a tool to detect flash loan-based exploits while at crypto security firm Quantstamp — said such exploits were notorious in DeFi.

“These kinds of vulnerabilities are usually very difficult to discover during smart contract audits, because they require in-depth knowledge of multiple protocols — those that one is auditing, and those that are being used as oracles,” he told DL News.

“There are also not enough automated tools that are capable of discovering such vulnerabilities.”

Launched in 2022, UwU Lend is a fork of Aave, the largest DeFi lending protocol with $12.4 billion of deposits.

A fork is where a developer team uses the open-source code from an existing DeFi protocol to launch a similar protocol — often on a different blockchain or with minor changes.

But the changes to Aave’s code allowed the hacker to drain UwU Lend. The protocol used easily manipulated oracles — software that provides it with the prices of various tokens.

UwU Lend’s UWU token is down 15% over the past week, and trades at around $2.70.

Aleks Gilbert is a DeFi Correspondent at DL News. Got a tip? Email him at aleks@dlnews.com.