Decentralized Finance (DeFi) protocol Penpie recently fell victim to an exploit that took away millions of dollars worth of crypto assets. Pendle, the protocol that Penpie is based on, addressed the incident in a post-mortem, revealing that it had prevented further losses of over $100 million in user funds.
Crypto Hacker Siphons Millions From DeFi Protocol
On Tuesday, DeFi project Penpie, an independent performance optimizer based on Pendle, reported a payout of over $20 million from the protocol. According to reports, the malicious actor exploited a flaw in the reward distribution mechanism and stole several crypto assets, including Ethena Staked USDe (sUSDe), USDC wrap, and staked Ether (ETH).
According to security firm PeckShield, the person exploiting the vulnerability used a “bad market” contract that inflated stake balances to gain unjustified rewards. Pendle confirmed that the vulnerability was related to a feature exclusive to Pendle that allowed “permissionless quoting of Pendle markets on Pendle.”
Attacker uses "evil market" to exploit Penpie's vulnerability. Source: PeckShield on X
The cryptocurrency heist took $7.87 million in wstETH, $2.51 million in sUSDe, $3.4 million in agETH, $2.22 million in rswETH, and four other Pendle-related Yield tokens. After the attack, the hacker exchanged the crypto assets for 11,113 ETH using the Li.fi protocol.
The stolen funds, worth $27.3 million, were later transferred to the crypto mixer Tornado Cash. According to the report, the exploiter sent over 3,000 ETH, or about $7.2 million, to the mixer by Wednesday morning.
The Penpie team sent a message to the attacker, asking for an “amicable” resolution of the incident. The protocol recognized the project’s vulnerability and the exploit’s role in its disclosure, offering a white hat bounty for the unthreatening return of funds.
In addition, they offered attacker the opportunity to “transition to a white-hat role where your skills will be recognized and rewarded.” The team assured that the hacker’s identity will remain confidential and that no legal action will be taken against him.
As of this writing, there are no reports of the exploiter and protocol team fixing the issue.
Post-Mortem: Quick response prevents further losses
On Wednesday morning, Pendle’s team shared a post-crash analysis detailing the incident. In the post, the DeFi protocol X explained that the project’s effective response prevented further losses of Penpie funds.
Pendle said its “internal real-time monitoring system” immediately detected the suspicious activity, as the contract was funded with 10 ETH from Tornado Cash hours before the heist.
Timeline of the attack and Pendle's response. Source: Pendle on X
At the time of the initial attack, the parties involved in the attack were aware of the red flag and quickly mobilized to protect the project’s ecosystem from further attacks. Twenty minutes after the attack, the team halted all Pendle contracts, which apparently helped prevent further losses and secured $105 million in crypto assets from Penpie.
The DeFi protocol also reached out to other Pendle-based projects like Equilibria and StakeDAO to see if they were under attack and assess the situation. After investigating, the team determined that Pencosystem was unthreatening and the attack was unique to Penpie before resuming operations:
The security breach targeting Penpie resulted in the loss of funds. In response, Pendle immediately suspended our contracts, effectively securing ~$105M that could have been further drained from Penpie. Through coordinated efforts across multiple parties, further breaches were mitigated and Pendle contracts were reinstated. Normal operations have resumed.
Ultimately, the Pendle team assured users that their funds were never at risk and the vulnerability did not impact them in any way.
Ethereum (ETH) is trading at $2,472 in the weekly chart. Source: ETHUSDT on TradingView
Featured image from Unsplash.com, chart from TradingView.com
