Yield protocol Penpie received exploited for $27 million on Sept. 3 after a malicious agent explored a vulnerability within the protocol’s good contracts.
Penpie is a yield protocol on Pendle that goals to spice up rewards for customers on the community.
Reentrancy exploited
In a Sept. 4 breakdown, blockchain safety agency Hacken defined that the attacker used a pool with pretend tokens to carry out the heist. The exploiter created worthless variations of Pendle’s yield-bearing tokens, Standardized Yield (SY), and tied them to invaluable belongings.
The attacker deployed 5 malicious contracts to behave as professional liquidity swimming pools and trick Penpie’s rewards system, however solely three of them have been used. He then leveraged the pretend SY tokens as tickets to assert actual yield.
Three assault transactions have been executed between 6:25 P.M. and 6:42 P.M. UTC. The primary transaction extracted the very best quantity, siphoning $15.7 million, adopted by two different transactions that took $5.6 million every out of Penpie’s contract.
The exploiter received away with 695 Restaked Swell ETH (rswETH), 4,101 Kelp Achieve (agETH), 2,723 Wrapped Staked ETH (wstETH), and a pair of.52 million Staked Ethena USD (sUSDe).
The remaining two malicious contracts deployed by the exploiter weren’t used within the assault, which was made potential as a result of a reentrancy vulnerability in Penpie’s contract.
A reentrancy vulnerability happens when a contract must make an exterior name to a different good contract earlier than updating its personal state. Thus, malicious contracts can idiot the protocol by altering info and inputting actions.
Notably, the losses might have been bigger. Pendle recognized the malicious transactions and paused its contracts at 6:45 P.M. UTC, three minutes after the third assault. Hacken highlighted:
“This was essential, because the attacker deployed a fourth malicious contract solely a minute later. Pausing Pendle’s contracts successfully halted the exploit, stopping additional loss.”
The entire batch of tokens was transformed to Ethereum (ETH), amounting to roughly 10,113 ETH. The exploiter transferred 3,000 ETH to the mixer service Twister Money and presently holds 7,113.27 ETH, in line with on-chain information.
The Penpie staff reached out to the exploited by way of an on-chain message and an X submit acknowledging the hack and claiming to be open to negotiating a bounty in alternate for the funds stolen. Moreover, they promised that no authorized motion can be pursued.
Talked about on this article
