Yield protocol Penpie obtained exploited for $27 million on Sept. 3 after a malicious agent explored a vulnerability within the protocol’s good contracts.
Penpie is a yield protocol on Pendle that goals to spice up rewards for customers on the community.
Reentrancy exploited
In a Sept. 4 breakdown, blockchain safety agency Hacken defined that the attacker used a pool with pretend tokens to carry out the heist. The exploiter created worthless variations of Pendle’s yield-bearing tokens, Standardized Yield (SY), and tied them to precious property.
The attacker deployed 5 malicious contracts to behave as authentic liquidity swimming pools and trick Penpie’s rewards system, however solely three of them had been used. He then leveraged the pretend SY tokens as tickets to assert actual yield.
Three assault transactions had been executed between 6:25 P.M. and 6:42 P.M. UTC. The primary transaction extracted the very best quantity, siphoning $15.7 million, adopted by two different transactions that took $5.6 million every out of Penpie’s contract.
The exploiter obtained away with 695 Restaked Swell ETH (rswETH), 4,101 Kelp Achieve (agETH), 2,723 Wrapped Staked ETH (wstETH), and a pair of.52 million Staked Ethena USD (sUSDe).
The remaining two malicious contracts deployed by the exploiter weren’t used within the assault, which was made doable as a consequence of a reentrancy vulnerability in Penpie’s contract.
A reentrancy vulnerability happens when a contract must make an exterior name to a different good contract earlier than updating its personal state. Thus, malicious contracts can idiot the protocol by altering data and inputting actions.
Notably, the losses might have been bigger. Pendle recognized the malicious transactions and paused its contracts at 6:45 P.M. UTC, three minutes after the third assault. Hacken highlighted:
“This was essential, because the attacker deployed a fourth malicious contract solely a minute later. Pausing Pendle’s contracts successfully halted the exploit, stopping additional loss.”
The entire batch of tokens was transformed to Ethereum (ETH), amounting to roughly 10,113 ETH. The exploiter transferred 3,000 ETH to the mixer service Twister Money and at present holds 7,113.27 ETH, in response to on-chain knowledge.
The Penpie crew reached out to the exploited through an on-chain message and an X publish acknowledging the hack and claiming to be open to negotiating a bounty in trade for the funds stolen. Moreover, they promised that no authorized motion can be pursued.