Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
  • TRADE
Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
  • TRADE
Crypto Flexs
Home»ADOPTION NEWS»2 Auditors Missed $27 Million Penpie Flaw, Pythia’s ‘Billing Reward’ Bug: Crypto-Sec
ADOPTION NEWS

2 Auditors Missed $27 Million Penpie Flaw, Pythia’s ‘Billing Reward’ Bug: Crypto-Sec

By Crypto FlexsSeptember 10, 20245 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
2 Auditors Missed  Million Penpie Flaw, Pythia’s ‘Billing Reward’ Bug: Crypto-Sec
Share
Facebook Twitter LinkedIn Pinterest Email
Amazon Polly has given us a voice

Pythia, Re-entry Attack

Pythia Finance, a decentralized finance protocol, had $53,000 stolen via a reentrancy attack on September 3, according to a report from blockchain security firm Quill Audits. Pythia is an algorithmic stablecoin project that aims to manage finances using artificial intelligence.

An attacker was able to collect more rewards than he was entitled to by repeatedly calling the “Claim Reward” function, preventing the reward balance from being updated after each call.

According to the report, the attacker was able to repeatedly call the token’s “secure transfer” function in rapid succession because Pythia calls this function when rewards are distributed. This could cause the malicious token contract to call Pythia again, which would then call Pythia again, creating a chain reaction that would drain the protocol’s funds.

On the left is the Pythia code that exploits the vulnerability, and on the right is a text description of the vulnerability.On the left is the Pythia code that exploits the vulnerability, and on the right is a text description of the vulnerability.
Screenshot of the Pythia partial audit report. (Pythia/X).

Quill Audits’ partial audit report on Pythia shows no outstanding security issues whatsoever, suggesting the team may have upgraded their contracts to prevent further use of this exploit.

Reentrancy attacks are one of the most common types of smart contract exploits, where an attacker repeatedly calls a function without fully executing the code.

Critical vulnerability in Zyxel

On September 4, networking hardware manufacturer Zyxel disclosed that some of its networking equipment had a critical vulnerability that could allow attackers to execute code on users’ routers and access points, potentially giving hackers access to users’ devices.

According to the disclosure, the vulnerability is a result of “improper sanitization of a special element in the parameter ‘host’ of a CGI program” in several different firmware versions. This improper sanitization allows these firmware versions to “allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”

Cryptocurrency wallet users should be especially wary of potential attacks on their home networks. If an attacker gains access to a user’s home network, they can use this access to redirect the user’s traffic via DNS spoofing, view unencrypted data transmitted over the network, or use deep packet inspection to decrypt encrypted data. The data obtained can be used in social engineering attacks to convince the user to approve transactions or share their private keys.

Zyxel has provided a list of potentially affected devices, including the NWA50AX PRO, NWA90AX, WAC500 and other access points, as well as the USG LITE 60AX router. The manufacturer has advised users of these devices to upgrade their firmware.

Penpie exploiters created a fake Pendle Market.

According to a September 4 report from blockchain security firm Zokyo, the $27 million Penpie exploit was possible due to a flaw that allowed any user to create a Pendle marketplace. The report claims that Zokyo audited previous versions of the protocol but did not contain the flaw at the time.

According to the report, Penpie includes a function called “registerPenpiePool” that can be used to register new pool addresses and Pendle Markets. To prevent malicious markets from being registered, a modifier is included to check if the Pendle Market is already registered to the factory contract of Pendle Finance. If it is not registered to this factory contract, it cannot be registered. However, any user can register their own market to the factory contract by calling the createNewMarket function on the factory contract. According to the report, this basically means that any user can create and register a Pendle Market.

Attackers exploited this vulnerability to create fake Pendle Markets and pools, which were configured to offer valuable Pendle tokens as rewards.

Pendle Finance code to create new market featuresPendle Finance code to create new market features
Pendle Finance createNewMarket function. (Zokyo).

The protocol also contained a reentrancy flaw that allowed the attacker to repeatedly deposit tokens into all markets before other balances were updated. The attacker would repeatedly call the deposit function, artificially inflating the rewards they would receive. They would then withdraw their deposits and claim their rewards, draining the protocol of over $27 million.

According to the report, the reentrancy flaw was present in the version that Zokyo audited, but that version only allowed the protocol team to register new pools and markets, preventing external attackers from exploiting them. The report states:

“The _market parameter received in the batchHarvestMarketRewards(…) method was expected to be non-malicious, as in previous versions of the code audited by Zokyo, only the owner (multi-signature) could register a pool.”

In a separate report published on September 3, the Penpie team claimed that Zokyo introduced “permissionless pool registration” about a year after the audit. At that time, they hired security firm AstraSec to audit the new registration system. However, the scope of this audit only included new contracts. Since the exploit originated from an interaction between two different contracts audited by two different teams, neither team caught the vulnerability. Penpie claimed that they will be conducting “periodic audits of the entire protocol” in the future to prevent such incidents from happening again.

Penpie is a decentralized finance protocol that aims to provide yield enhancement to Pendle Finance users. The exploit for this occurred on September 3rd.

Christopher Locke

Some say he is a white hat hacker living in the black mining hills of Dakota, pretending to be a children’s crossing guard to avoid the NSA’s eyes. What we do know is that Christopher Locke has a pathological desire to hunt scammers and hackers.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

It flashes again in July

July 6, 2025

Stablecoin startups surpass 2021 venture capital peaks as institutional money spills.

June 28, 2025

Gala Games improves leader board rewards and introduces preference systems.

June 20, 2025
Add A Comment

Comments are closed.

Recent Posts

GrayScale XRP ETF GETS sec NOD: XRP price prediction and market impact

July 8, 2025

Distribute Crypto Media Release That Get Attention

July 8, 2025

GUNZ Announces $GUN Token Expansion To Solana

July 7, 2025

NEXST Launches Web3 VR Entertainment Platform With K-Pop Group UNIS As First Global Partner

July 7, 2025

Elon Musk announces that his “American Party” will accept Bitcoin and criticizes Trump’s financial bill.

July 7, 2025

From Wall Street to Wallet: Ark Defai redefines financial architecture.

July 7, 2025

What Every Investor Should Know

July 6, 2025

Protecting Your Portfolio In A Volatile Market

July 6, 2025

A Trader’s Guide To Smarter Moves

July 6, 2025

Crypto Price Prediction Strategies – How Traders Forecast The Market

July 6, 2025

Causes, History, And How To Survive

July 6, 2025

Crypto Flexs is a Professional Cryptocurrency News Platform. Here we will provide you only interesting content, which you will like very much. We’re dedicated to providing you the best of Cryptocurrency. We hope you enjoy our Cryptocurrency News as much as we enjoy offering them to you.

Contact Us : Partner(@)Cryptoflexs.com

Top Insights

GrayScale XRP ETF GETS sec NOD: XRP price prediction and market impact

July 8, 2025

Distribute Crypto Media Release That Get Attention

July 8, 2025

GUNZ Announces $GUN Token Expansion To Solana

July 7, 2025
Most Popular

Debiex Crypto Exchange implicated in alleged romance scam

January 21, 2024

Coin News of the Week: Caitlyn Jenner Jumps into the World of Memes as Bitcoin and Ethereum Flatten

June 1, 2024

Crypto exchange predicts 1000x return on XRP price with ambitious $594 rise.

January 29, 2024
  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 Crypto Flexs

Type above and press Enter to search. Press Esc to cancel.