Penpie Hack Analysis

PUBLISHED ON

September 25, 2024

WRITTEN BY

Jarir

DURATION

5 Min

CATEGORY

Penpie Hack Analysis

Overview of Penpie Protocol

Penpie is a next-generation DeFi platform integrated with Pendle Finance, designed to boost yield and veTokenomics for its users. By locking PENDLE tokens, Penpie enables participants to gain governance rights and optimize rewards through its mPENDLE token, which is a 1:1 representation of PENDLE. Users who convert PENDLE into mPENDLE earn enhanced PENDLE rewards while enjoying greater flexibility. Meanwhile, Penpie locks the original PENDLE as vePENDLE on Pendle Finance, accumulating governance power and increasing overall yield. The platform also facilitates cost-effective acquisition of voting power through the PNP token, rewarding active participation and allowing users to maximize their returns.

Hack Impact

Penpie’s permissionless nature and reliance on external smart contracts introduced security vulnerabilities, leading to a significant exploitation event on September 3, 2024.

The Penpie platform suffered a sophisticated attack, resulting in the loss of approximately 11,113.6 ETH (valued at around $27.35 million) across Ethereum and Aribitrum. The attacker exploited a vulnerability related to the reentrancy protection in the system, targeting both the Arbitrum and Ethereum networks. Penpie swiftly halted all deposits and withdrawals in response, and the protocol’s front end has since been restored. Despite this, the stolen funds have yet to be recovered, and Penpie is collaborating with various security firms to trace the assets and resolve the situation.

The following data is shared by Penpei protocol, accounting for the impact of the hack.

 

Penpie Protocol Hack Explained

The attacker utilized a combination of fake market creation, flash loans, and reentrancy attacks to drain the funds. Below is a detailed step-by-step breakdown of the hack:

 

Step 1: Exploiting Reentrancy in the PendleStakingBaseUpg Contract

The attacker exploited the PendleStakingBaseUpg::batchHarvestMarketRewards() function, where the reentrancy vulnerability was located. This flaw allowed re-entering the PendleStakingBaseUpg::depositMarket() function during reward harvesting, enabling continuous and illegitimate deposits.

 

Step 2: Abuse of Fake Market Registrations

Leveraging Penpie’s permissionless registration feature, the attacker registered a malicious Pendle market with a specially designed SY contract. This fake market became the foundation for the reentrancy attack, allowing the hacker to siphon off the rewards.

 

Step 3: Flash Loan to Amplify Attack

The hacker secured flash loans in assets such as wstETH, sUSDe, egETH, and rswETH from the Balancer protocol. These assets were funneled into the malicious SY contract, inflating the value of rewards claimed during the batchHarvestMarketRewards call.

 

Step 4: Illicit Rewards Manipulation and Drainage

The attacker repeatedly invoked the reward harvesting function to claim disproportionately large rewards. Since they were the sole depositor in the fake market, the manipulated rewards were directed to the attacker, who later converted them back into their original token forms.

Transaction Analysis

The attacker’s actions can be traced across a series of Ethereum and Arbitrum transactions, starting with the deployment of the malicious SY contract and ending with the theft and redistribution of the funds. Below is an analysis of the critical transactions involved in the attack:

Helper Contract Creation:

Attack Transactions:

    • Example TX: First Attack
    • Example TX: Draining Funds via Ethereum

Follow-up Communications with the Hacker:

    • The attacker received an on-chain message from Penpie encouraging negotiation without law enforcement: Message to Hacker
    • Penpei also joined forces with “Hypernative” to track the hacker’s movements and set up a “SEAL 911” war room to deescalate the situation.

Funds Flow

After the exploit, the attacker routed the stolen funds across multiple wallets and platforms, making tracking more complex. The stolen assets, primarily in ETH, were transferred in batches, with notable transactions including:

  • 11,109.62 ETH transferred to a newly created address shortly after the exploit.
  • Subsequent batch transactions splitting the funds into chunks of 1,000 ETH each, possibly for obfuscation purposes.
  • MetaSleuth Link attached for detailed Funds Flow here.
Tell
us about your Project

Related Blogs

Terms & Condition | Privacy Policy
Copyright © 2024 BlockApex. All rights reserved.
Clients & Partners
0 +
not sure where to start?

    Clients & Partners
    0 +
    Clients & Partners
    0 +

      Access the
      Audit Checklist