TL;DR
- $105 Million Saved: Pendle swiftly paused contracts to prevent further losses after a $27.3 million hack on its yield optimizer, Penpie.
- Exploit Details: The attacker used a malicious contract to exploit Penpie’s permissionless listing feature, inflating staking balances and claiming rewards.
- Response and Recovery: Pendle’s quick action and collaboration with security experts safeguarded the majority of funds, and normal operations have resumed.
In a recent security breach, the DeFi protocol Pendle successfully safeguarded approximately $105 million from being further drained following a hack on its yield optimizer, Penpie. The incident, which resulted in the theft of $27.3 million, was mitigated by a swift contract pause that prevented additional breaches.
Post Mortem
Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.
Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK
— Pendle (@pendle_fi) September 4, 2024
The attacker exploited a unique feature within the Penpie protocol that allows for permissionless listings. By launching a malicious “evil market” contract, the hacker was able to inflate the staking balance on Penpie, fraudulently claiming rewards.
Pendle confirmed that the vulnerability was associated with a unique feature permitting the permissionless listing of Pendle markets on Penpie.
The company stated that its in-house monitoring system promptly detected the suspicious contract, which had been funded through Tornado Cash. However, it was unable to prevent the initial attack. Despite this, Pendle’s quick response ensured that the majority of funds remained secure.
Pendle’s Response and Recovery
Pendle stated that the funds were safeguarded following a swift pause in its contracts. Due to coordinated efforts from multiple parties, further breaches were prevented, and Pendle contracts have now been reactivated.
Normal operations have resumed, the project announced on X. Pendle reassured its users that funds on the platform remain safe and unaffected, emphasizing their commitment to prioritizing the safety and security of their platform above all else.
Penpie, which is still paused, later expressed its willingness to negotiate with the hacker after the exploit. In return for their cooperation, Penpie offered to refrain from pursuing legal action, keep the attacker’s identity confidential, and provide a percentage of the funds as a bounty reward.
Community Impact
This incident highlights the ongoing challenges and vulnerabilities within the DeFi space. While Pendle’s quick action prevented a more significant loss, the hack underscores the importance of robust security measures and the need for continuous vigilance in the rapidly evolving world of decentralized finance.