DeFi project Pendle claimed on Tuesday that it had secured approximately $105 million in funds that could have been lost from Penpie after an independent Pendle Ecosystem yield optimization tool was hacked.
In a post-mortem following the early morning incident on Wednesday, Pendle said the funds were protected after the contract was immediately suspended. “Thanks to the coordinated efforts of multiple parties, further breaches were mitigated and the Pendle contract is now uninterrupted. Normal operations have resumed,” the project wrote to X. “We would like to reassure Pendies that their funds on Pendle are safe and unaffected, and we will continue to prioritize the safety and security of our platform above all else.”
However, according to blockchain analytics provider Lookonchain, attackers exploited Penpie’s protocol to steal around $27.3 million, exchanging various assets for 11,109 ETH.
Blockchain security firm PeckShield said the root cause was the introduction of “evil markets,” malicious contracts used to inflate Penpie’s staking balances to claim unfair rewards.
Pendle confirmed that the vulnerability was related to a unique feature of Penpie that allowed it to register Pendle Market without permission. It claimed that its own monitoring system immediately detected the suspicious contracts funded by Tornado Cash. However, it did not prevent the initial attack.
According to CoinGecko data, Penpie’s PNP token fell more than 33% immediately following the incident, while Pendle’s native token fell about 9% in the last 24 hours, according to The Block’s Pendle price page.
Penpie paused for a moment, later revealing that he was willing to negotiate with the hacker. In exchange for his cooperation, he offered not to take legal action, the attacker’s identity would remain secret, and he would receive a percentage of the funds as a bounty reward.
Disclaimer: The Block is an independent media outlet providing news, research and data. As of November 2023, Foresight Ventures is the largest investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, influential and timely information on the cryptocurrency industry. Current financial disclosures are as follows:
© 2024 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be legal, tax, investment, financial or other advice.