On September 3rd, a hacker targeted the DeFi protocol Penpie, extracting digital assets worth over $27.3 million, according to experts from PeckShield.
The loss is >$27M if we take into account the stolen YT tokens and possibly loss from other chain. https://t.co/5bdhjf2WIH
— PeckShield Inc. (@peckshield) September 3, 2024
“The root cause was the introduction of a malicious market, which was used to inflate the staking balance to gain undue rewards,” explained the experts.
The Penpie team stated that their internal monitoring system detected a suspicious contract funded from the Tornado Cash mixer. Developers halted deposits and withdrawals, as well as the operation of all markets on the platform.
They noted that timely actions helped protect approximately $105 million, which the hacker could have potentially extracted from Penpie.
The team confirmed that the perpetrator exploited a protocol feature allowing unrestricted market placements.
Post Mortem
Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.
Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK
— Pendle (@pendle_fi) September 4, 2024
At the time of writing, the platform has resumed normal operations. Penpie has offered the hacker a chance to become a “white hat” by returning the funds for a reward. In return, they promised confidentiality and no legal action.
“We hope you see the value in resolving this matter peacefully. Please contact us to discuss the details,” the developers wrote.
PeckShield experts recorded the hacker transferring at least approximately 3000 ETH (~$7.32 million) to Tornado Cash for laundering.
#PeckShieldAlert @Penpiexyz_io exploiter-labeled address 0x2f2d…1C39 (Balance: 7.1K $ETH) has moved 1K $ETH (worth ~$2.4M) to the related laundering address 0xD440…6cC3 (Laundering)
The laundering address 0xD440…6cC3 has transferred another 100 $ETH to #TornadoCash pic.twitter.com/MW8RUPKrim— PeckShieldAlert (@PeckShieldAlert) September 4, 2024
The price of the Penpie token (PNP) reacted to the incident by plummeting from $1.33 to $0.89. Prices have since recovered to around $0.98, marking a 34.2% loss over the day (CoinGecko).
The coin’s market capitalization stands at ~$5.15 million.
According to DeFi Llama, the value locked in Penpie’s smart contracts is $90.44 million. At its peak in July, this figure exceeded $386 million.
In August, hackers stole digital assets worth $313.86 million in over 10 attacks, as calculated by PeckShield.
Update (September 4, 2024, 11:20 Kyiv/Moscow): corrected the mistakenly mentioned project name Pendle.