Penpie is a next-generation DeFi platform integrated with Pendle Finance, designed to boost yield and veTokenomics for its users. By locking PENDLE tokens, Penpie enables participants to gain governance rights and optimize rewards through its mPENDLE token, which is a 1:1 representation of PENDLE. Users who convert PENDLE into mPENDLE earn enhanced PENDLE rewards while enjoying greater flexibility. Meanwhile, Penpie locks the original PENDLE as vePENDLE on Pendle Finance, accumulating governance power and increasing overall yield. The platform also facilitates cost-effective acquisition of voting power through the PNP token, rewarding active participation and allowing users to maximize their returns.
Penpie’s permissionless nature and reliance on external smart contracts introduced security vulnerabilities, leading to a significant exploitation event on September 3, 2024.
The Penpie platform suffered a sophisticated attack, resulting in the loss of approximately 11,113.6 ETH (valued at around $27.35 million) across Ethereum and Aribitrum. The attacker exploited a vulnerability related to the reentrancy protection in the system, targeting both the Arbitrum and Ethereum networks. Penpie swiftly halted all deposits and withdrawals in response, and the protocol’s front end has since been restored. Despite this, the stolen funds have yet to be recovered, and Penpie is collaborating with various security firms to trace the assets and resolve the situation.
The following data is shared by Penpei protocol, accounting for the impact of the hack.
The attacker utilized a combination of fake market creation, flash loans, and reentrancy attacks to drain the funds. Below is a detailed step-by-step breakdown of the hack:
The attacker exploited the PendleStakingBaseUpg::batchHarvestMarketRewards() function, where the reentrancy vulnerability was located. This flaw allowed re-entering the PendleStakingBaseUpg::depositMarket() function during reward harvesting, enabling continuous and illegitimate deposits.
Leveraging Penpie’s permissionless registration feature, the attacker registered a malicious Pendle market with a specially designed SY contract. This fake market became the foundation for the reentrancy attack, allowing the hacker to siphon off the rewards.
The hacker secured flash loans in assets such as wstETH, sUSDe, egETH, and rswETH from the Balancer protocol. These assets were funneled into the malicious SY contract, inflating the value of rewards claimed during the batchHarvestMarketRewards call.
The attacker repeatedly invoked the reward harvesting function to claim disproportionately large rewards. Since they were the sole depositor in the fake market, the manipulated rewards were directed to the attacker, who later converted them back into their original token forms.
The attacker’s actions can be traced across a series of Ethereum and Arbitrum transactions, starting with the deployment of the malicious SY contract and ending with the theft and redistribution of the funds. Below is an analysis of the critical transactions involved in the attack:
After the exploit, the attacker routed the stolen funds across multiple wallets and platforms, making tracking more complex. The stolen assets, primarily in ETH, were transferred in batches, with notable transactions including:
Bedrock is a multi-asset liquidity re-hypothecation protocol that allows the collateralization of assets like wBTC,…
What is Berachain? Berachain is a high performance, EVM-identical Layer 1 blockchain leveraging Proof of…
On September 3, 2024, Onyx DAO, a protocol derived from Compound Finance, suffered a severe…
The cryptocurrency world continues to expand rapidly, offering new investment opportunities almost daily. One of…
In today's digital age, where data is the new currency, safeguarding sensitive information has become…
BlockApex, a premier blockchain security company, is excited to announce a security partnership with ICP…
This website uses cookies.