Decentralized finance (DeFi) protocol Penpie recently fell victim to an exploit that took millions of dollars worth of various crypto assets. Pendle, the protocol on which Penpie is based, addressed the incident in a subsequent blog post, in which it revealed that it had prevented further losses worth over $100 million in user funds.
Cryptocurrency hacker steals millions from DeFi protocol
On Tuesday, DeFi Project Penpie, an independent yield optimizer based on Pendle, saw over $20 million in funds drained from the protocol. The malicious actor reportedly exploited a vulnerability in its reward distribution mechanism and stole several crypto assets, including Ethena Staked USDe (sUSDe), Wrapped USDC, and Staked Ether (ETH).
According to security firm PeckShield, the exploiter used An “evil marketplace” contract that inflated the stake balance to claim unjustified rewards. Pendle confirmed that the vulnerability was linked to a Penpie-exclusive feature that allowed “permissionless inclusion of Pendle marketplaces on Penpie.”
Attacker uses "evil market" to exploit Penpie's vulnerability. Source: PeckShield on X
The cryptocurrency theft netted $7.87 million worth of wstETH, $2.51 million worth of sUSDe, $3.4 million worth of agETH, $2.22 million worth of rswETH, and four other Pendle-related Yield tokens. Following the attack, the hacker exchanged the crypto assets for 11,113 ETH using the Li.fi protocol.
The stolen funds, worth $27.3 million, were subsequently transferred to the Tornado Cash cryptocurrency mixer. According to the report, the exploiter sent more than 3,000 ETH, around $7.2 million, on the mixer on Wednesday morning.
The Penpie team sent a message to the attacker, asking him to resolve the incident in an “amicable” manner. The protocol acknowledged the vulnerability of the project and the role of the exploit in its appearance, proposing a white hat reward for the safe return of the funds.
In addition, they Offered The attacker has the opportunity to “transition into a white hat role, where their skills will be recognized and rewarded.” The team assured that the hacker’s identity would remain confidential and that they would not take any legal action against him.
At the time of writing, there are no reports of a resolution between the exploiter and the protocol team.
Autopsy: A quick response prevents further losses
On Wednesday morning, the Pendle team shared a postmortem detailing the incident. In the X post, the DeFi protocol explained that the project’s effective response prevented further losses from Penpie’s funds.
Pendle said its “internal real-time monitoring system” immediately detected suspicious activity as the contract was funded with 10 ETH from Tornado Cash hours before the theft.
Timeline of the attack and Pendle's response. Source: Pendle on X
At the time of the first attack, the parties involved were already aware of the red flag and quickly mobilized to protect the project’s ecosystem from further attacks. Twenty minutes after the attack, the team halted all Pendle contracts, which apparently helped prevent further losses and safeguard $105 million worth of Penpie’s crypto assets.
The DeFi protocol also reached out to other Pendle-based projects, such as Equilibria and StakeDAO, to check if they were under stroke and assess the situation. After investigating, the team determined that the Pencosystem was secure and that the attack had been exclusive to Penpie before resuming operations:
A security breach affecting Penpie resulted in the loss of some funds. In response, Pendle quickly suspended our contracts, effectively safeguarding approximately $105 million that could have been further lost from Penpie. Through the coordinated efforts of multiple parties, further breaches were mitigated and Pendle contracts were no longer suspended. Operations have resumed as normal.
Finally, the Pendle team assured users that their funds were never at risk and would not be affected by the exploit.
Ethereum (ETH) is trading at $2,472 in the weekly chart. Source: ETHUSDT on TradingView
Featured image from Unsplash.com, chart from TradingView.com
Disclaimer:
The information contained in this post is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose.
We respect the intellectual property rights of content creators. If you are the owner of any material featured on our website and have concerns about its use, please contact us. We are committed to addressing any copyright issues promptly and will remove any material within 2 days of receiving a request from the rightful owner.