UwU Lend security incident triggers liquidation of Curve founder’s CRV lending position

A representative for Curve founder Michael Egorov said via Telegram message on Friday that a vulnerability in UwU Lend on Monday set off a chain of events that led to a large number of liquidations on Curve on Thursday. The $100 million in loans that Egorov had taken out from various protocols using Curve’s CRV token as collateral began to automatically liquidate on Thursday, causing the token to fall 30% before briefly recovering. “On April 15, they (UwU Lend) deployed vulnerable code for new (sUSDe) markets, which were not isolated, so the entire platform was at risk,” Egorov said. “UwU was hacked, and as part of the cash-out, the hacker deposited CRV stolen from UwU into lending.curve.fi (LlamaLend) and then disappeared with the funds, leaving the debt in the system.” UwU Lend lost $20 million in a flash loan attack on Monday and another $3.7 million in another attack on Thursday. As of Friday, a $5 million bounty was offered to find the attacker. In an X post, Egorov estimated that the bad debt in a specific CRV lending pool was $10 million (93% has been repaid). Although this market is completely isolated from other lending pools, CRV depositors cannot withdraw their funds as long as the bad debt exists. However, Egorov said that this situation may help strengthen Curve's security measures and lending mechanisms, and may provide better services to users in the coming months. He said: "The system was tested under unimaginable conditions on the day of the liquidation. We have a lot of things to deal with, but the most important thing is that we have all the information on how to make the safest and most resilient loans/borrowings ever." Egorov added: "I am committed to ensuring that all users can withdraw their deposits without trouble. I have always considered Curve Finance to be my top priority, and the most important thing is our community." (CoinDesk)