Decentralized Finance (DeFi) Protocol Penpie recently fell victim to an exploit that took millions of dollars worth of several crypto assets. Pendle, the protocol Penpie is based on, addressed the incident in a post-mortem post, revealing to have prevented further losses worth over $100 million in users’ funds.
Crypto Hacker Drains Millions From DeFi Protocol
On Tuesday, DeFi project Penpie, a Pendle-based independent yield optimizer, saw over $20 million in funds drained from the protocol. Per the reports, the malicious actor exploited a vulnerability in its reward distribution mechanism and stole several crypto assets, including Ethena Staked USDe (sUSDe), wrapped USDC, and staked Ether (ETH).
According to security firm PeckShield, the exploiter used an “evil market” contract that inflated the staking balance to claim unwarranted rewards. Pendle confirmed the vulnerability was linked to a Penpie-only feature that allowed “permissionless listing of Pendle markets on Penpie.”
Attacker uses "evil market" to exploit Penpie's vulnerability. Source: PeckShield on X
The crypto heist took $7.87 million in wstETH, $2.51 million in sUSDe, $3.4 million agETH, $2.22 million in rswETH, and four other Pendle-related Yield tokens. Following the exploit, the hacker swapped the crypto assets for 11,113 ETH using the Li.fi protocol.
The stolen funds, worth $27.3 million, were later transferred to crypto mixer Tornado Cash. Per the report, the exploiter sent over 3,000 ETH, around $7.2 million, to the mixer by Wednesday morning.
The Penpie Team sent a message to the attacker, asking them to “amicably” resolve the incident. The protocol recognized the project’s vulnerability and the exploit’s role in bringing it forward, proposing a white hat bounty for the safe return of the funds.
Additionally, they offered the attacker an opportunity to “transition into a white-hat role, where your skills will be acknowledged and rewarded.” The team assured that the hacker’s identity would remain confidential and they would not pursue any legal action against them.
As of this writing, there are no reports of a resolution between the exploiter and the protocol’s team.
Post-Mortem: Quick Response Prevents Further Losses
On Wednesday morning, Pendle’s team shared a post-mortem detailing the incident. In the X post, the DeFi protocol explained that the project’s effective response prevented further losses from Penpie’s funds.
Pendle stated that its “real-time in-house monitoring system” immediately detected suspicious activity as the contract was funded with 10 ETH from Tornado Cash hours before the heist.
Timeline of the attack and Pendle's response. Source: Pendle on X
By the time of the first attack, the parties involved were aware of the red flag and quickly mobilized to protect the project’s ecosystem from subsequent attacks. Twenty minutes after the exploit, the team paused all contracts on Pendle, which seemingly helped prevent more losses and safeguard $105 million in crypto assets from Penpie.
The DeFi protocol also contacted other Pendle-based projects, like Equilibria and StakeDAO, to check if they were under attack and assess the situation. After investigating, the team determined that the Pencosystem was safe and the attack was unique to Penpie before resuming operations:
A security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie. Thanks to coordinated efforts from multiple parties, further breaches were mitigated, and Pendle contracts have now been unpaused. Normal operations have resumed.
Ultimately, Pendle’s team assured users their funds were never at risk, and they remain unaffected by the exploit.
Ethereum (ETH) is trading at $2,472 in the weekly chart. Source: ETHUSDT on TradingView