lazarusholic

Everyday is lazarus.dayβ

Analysis of the UwU Lend Attack

2024-06-13, SharkTeam
https://medium.com/@sharkteam/sharkteam-analysis-of-the-uwu-lend-attack-423735b677a7
#UwULend

Contents

On June 10, 2024, UwU Lend was attacked, and the project party lost about 19.3 million US dollars.
SharkTeam conducted a technical analysis of the incident and summarized the security precautions. It is hoped that subsequent projects can learn from it and build a security line of defense in the blockchain industry.
1. Attack transaction analysis
Attacker: 0x841dDf093f5188989fA1524e7B893de64B421f47
The attacker launched a total of 3 attack transactions:
Attack transaction 1:
0x242a0fb4fde9de0dc2fd42e8db743cbc197ffa2bf6a036ba0bba303df296408b
Attack transaction 2:
0xb3f067618ce54bc26a960b660cfc 28f9ea0315e2e9a1a855ede1508eb4017376
Attack transaction 3:
0xca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3
Take attack transaction 1 as an example for analysis:
Attack contract: 0x21c58d8f816578b1193aef4683e8c64405a4312e
Target contract: UwU Lend vault contracts, including:
uSUSDE: 0xf1293141fc6ab23b2a0143acc196e3429e0b67a6
uDAI: 0xb95bd0793bcc5524af358ffaae3e38c3903c7626
uUSDT: 0x24959f75d7bda1884f1ec9861f644821ce233c7d
The attack process is as follows:
1. Flash loans of multiple tokens from different platforms, including WETH, WBTC, sUSDe, USDe, DAI, FRAX, USDC, GHO
The token receiving address is 0x4fea76b66db8b548842349dc01c85278da3925da
The tokens and amounts of the flash loans are as follows:
159,053.16 WETH and 14,800 WBTC flash loan from AaveV3
40,000 WETH flash loan from AaveV2
91,075.70 WETH and 4,979.79 WBTC flash loan from Spark
301,738,880.01 sUSDe, 236,934,023.17 USDe …

IoC

21c58d8f816578b1193aef4683e8c64405a4312e
242a0fb4fde9de0dc2fd42e8db743cbc197ffa2bf6a036ba0bba303df296408b
24959f75d7bda1884f1ec9861f644821ce233c7d
4fea76b66db8b548842349dc01c85278da3925da
841dDf093f5188989fA1524e7B893de64B421f47
b95bd0793bcc5524af358ffaae3e38c3903c7626
ca1bbf3b320662c89232006f1ec6624b56242850f07e0f1dadbe4f69ba0d6ac3
f1293141fc6ab23b2a0143acc196e3429e0b67a6
f19d66e82ffe8e203b30df9e81359f8a201517ad