UwU Lend, a decentralized finance (DeFi) protocol born out of a fork of Aave and founded by QuadrigaCX co-founder Michael Patryn or “0xSifu,” fell victim to an exploit on Monday. 

Blockchain security firm Cyvers first alerted users to the hack in a post on X, noting that the protocol had lost around $14 million as of 8 a.m. ET on Monday. Around half an hour later, blockchain analytics firm Arkham estimated that the total loss from the exploit was closer to $19.3 million. 

The UwU Lend team later posted an update saying that the protocol had been paused while the situation was being investigated.

Blockchain security firm Beosin found that the attacker used a flash loan to swap stablecoin USDe for other tokens, manipulating the price of USDe and sUSDe. Matthew Jiang, director of security services at Blocksec, suggested on the ETHSecurity Telegram channel that the root cause of this UwU Lend exploit was an improperly designed blockchain Oracle. 

UwU Lend was founded by Patryn in September 2022 and had amassed $91 million in Total Value Locked (TVL) before the exploit on June 10, according to data from DeFLlama. The protocol allows users to lend and borrow crypto, and distributes protocol fees to liquidity providers. 

Patryn, who is best known for co-founding the collapsed crypto exchange QuadrigaCX, reappeared in the crypto scene when he served as treasurer of the Wonderland DAO under the pseudonym Sifu. After he was doxxed by blockchain sleuth ZachXBT in January 2022, he was ousted from his role after a community vote.

Shortly after his removal, Sifu began sending funds to Tornado Cash, and while he claimed this was his own money, some market participants speculated that these funds may have belonged to the community.

Sifu has now sent a blockchain message to the hacker offering a 20% bounty of any funds taken in exchange for 80% of them being returned to the UwU Lend protocol. 

“You will face no risk of us pursuing this further and no risk of law enforcement issues. If you choose not to partake in the voluntary return and complete the process by June 12 at 17:00 UTC, we will expand the bounty to the public and offer the full 20% to the person who can identify you in a way that leads to your conviction in the courts. We will pursue you from all angles,” said Sifu in the message.

Interestingly, the hacker deposited much of the stolen funds into Curve Finance’s Llama Lend protocol, which the hacker then used to borrow crvUSD. As per the most recent update from Curve Finance, lenders managed to hard liquidate the hacker’s position. 

“Unprecedented (and unplanned) test of LlamaLend resiliency successfully concluded: system worked exceptionally well,” wrote Curve Finance on X.