Bitrabo Editorial
The DeFi project Penpie, built on Pendle, recently faced an exploit that saw millions of dollars in various crypto assets being taken. Pendle, the underlying protocol for Penpie, successfully prevented additional losses totaling over $100 million in users’ funds.
Huge Crypto Theft Hits DeFi Network
Penpie, an independent yield optimizer based on Pendle, was targeted by an exploit on Tuesday resulting in the theft of over $20 million from the platform. The attacker utilized a vulnerability in the reward distribution mechanism to pilfer assets such as sUSDe, wrapped USDC, and staked ETH.
PeckShield, a security firm, revealed that the hacker exploited an “evil market” contract to manipulate staking balances and claim unauthorized rewards. This vulnerability stemmed from a Penpie-specific feature allowing the listing of Pendle markets without permission.
Among the assets stolen were $7.87 million in wstETH, $2.51 million in sUSDe, $3.4 million in agETH, $2.22 million in rswETH, and various Pendle-related tokens. The hacker converted these assets into 11,113 ETH through the Li.fi protocol.
Afterward, the stolen funds, valued at $27.3 million, were sent to the crypto mixer Tornado Cash. The attacker transferred over 3,000 ETH (approximately $7.2 million) to the mixer by Wednesday morning.
The Penpie Team reached out to the attacker, urging an amicable resolution and offering a white hat bounty for the safe return of the funds. They also proposed a transition to a beneficial role for the attacker while ensuring anonymity and no legal repercussions.
As of now, there has been no update on any resolution between the attacker and the project team.
Aftermath Analysis: Swift Response Curbs Further Losses
Pendle promptly published a post-mortem report on Wednesday, detailing the incident and how their quick action averted additional losses from Penpie’s funds. Their internal monitoring system detected suspicious activities as soon as the contract received 10 ETH from Tornado Cash hours before the attack.
Following the initial attack, the team reacted promptly by pausing all contracts on Pendle, effectively preventing further losses and securing $105 million in crypto assets connected to Penpie.
Pendle also contacted other projects based on their protocol, like Equilibria and StakeDAO, to ensure their safety. After confirming the uniqueness of the attack to Penpie, operations resumed:
A security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie. Thanks to coordinated efforts from multiple parties, further breaches were mitigated, and Pendle contracts have now been unpaused. Normal operations have resumed.
Pendle’s team assured users that their funds were secure throughout the incident and were unaffected by the exploit.