Penpie exploited for $27 million in reentrancy attack
Penpie exploited for $27 million in reentrancy attack Penpie exploited for $27 million in reentrancy attack
The exploiter created malicious natty contracts and fraudulent tokens to act as respectable liquidity swimming pools to trick Penpie's contract.
Quilt artwork/illustration by strategy of CryptoSlate. Image involves mixed philosophize that would per chance per chance simply comprise AI-generated philosophize.
Yield protocol Penpie obtained exploited for $27 million on Sept. 3 after a malicious agent explored a vulnerability within the protocol’s natty contracts.
Penpie is a yield protocol on Pendle that aims to take rewards for customers on the network.
Reentrancy exploited
In a Sept. 4 breakdown, blockchain security agency Hacken outlined that the attacker aged a pool with fraudulent tokens to fabricate the heist. The exploiter created valueless versions of Pendleâs yield-bearing tokens, Standardized Yield (SY), and tied them to priceless sources.
The attacker deployed 5 malicious contracts to act as respectable liquidity swimming pools and trick Penpie’s rewards machine, but finest three of them were aged. He then leveraged the fraudulent SY tokens as tickets to claim precise yield.
Three attack transactions were performed between 6:25 P.M. and 6:42 P.M. UTC. The vital transaction extracted the ideal quantity, siphoning $15.7 million, followed by two other transactions that took $5.6 million each and each out of Penpie’s contract.
The exploiter obtained away with 695 Restaked Swell ETH (rswETH), 4,101 Kelp Invent (agETH), 2,723 Wrapped Staked ETH (wstETH), and 2.52 million Staked Ethena USD (sUSDe).
The final two malicious contracts deployed by the exploiter were not aged within the attack, which changed into once made that you just potentially can imagine attributable to a reentrancy vulnerability in Penpie’s contract.
A reentrancy vulnerability occurs when a contract desires to form an exterior call to 1 other natty contract sooner than updating its cling sigh. Thus, malicious contracts can fool the protocol by changing recordsdata and inputting actions.
Severely, the losses can were larger. Pendle known the malicious transactions and paused its contracts at 6:Forty five P.M. UTC, three minutes after the third attack. Hacken highlighted:
âThis changed into once crucial, because the attacker deployed a fourth malicious contract finest a minute later. Pausing Pendleâs contracts successfully halted the exploit, combating additional loss.â
The total batch of tokens changed into once converted to Ethereum (ETH), amounting to roughly 10,113 ETH. The exploiter transferred 3,000 ETH to the mixer carrier Twister Cash and presently holds 7,113.27 ETH, according to on-chain records.
The Penpie crew reached out to the exploited by strategy of an on-chain message and an X put up acknowledging the hack and claiming to be beginning to negotiating a bounty in change for the funds stolen. Furthermore, they promised that no correct action would be pursued.
Mentioned listed right here
Gino Matos
Gino Matos is a law college graduate and a seasoned journalist with six years of skills within the crypto trade. His skills essentially makes a speciality of the Brazilian blockchain ecosystem and developments in decentralized finance (DeFi).
Assad Jafri
AJ, a passionate journalist since Yemen's 2011 Arab Spring, has honed his abilities worldwide for over a decade. Specializing in monetary journalism, he now makes a speciality of crypto reporting.
Latest US Tales
In this article
Pendle is a protocol that permits the tokenization and shopping and selling of future yield.
CertiK
Primarily based in 2018 by professors of Yale University and Columbia University, CertiK is a pioneer in blockchain security, utilizing finest-in-class AI technology to stable and video display blockchain protocols and natty contracts.
Source credit : cryptoslate.com
