Pendle's Swift Action Saves $105M After Penpie $27M Hack

Van Thanh Le

•

Sep 5 2024

last week3 minutes read

Cubic robot defends secure networks against hacker storm vortex

Penpie Protocol Hit Hard by $27 Million Hack

Penpie, a decentralized finance (DeFi) protocol based on the Pendle yield platform, was rocked by a major hack on September 3, 2024. The breach, driven by a malicious "evil market" contract, resulted in the theft of roughly $27 million in crypto assets.

ALERTHey @Penpiexyz_io, Our system has raised multiple suspicious transaction involving your contract!

And suspicious address funded by @TornadoCash cash has executed a malicious transaction and got around $27M worth of digital assets!

Affected tokens are $wstETH,… pic.twitter.com/Dgl6ReYLgr
— Cyvers Alerts (@CyversAlerts) September 3, 2024

The attacker manipulated a vulnerability to inflate staking balances fraudulently, allowing them to collect rewards unlawfully. Among the stolen assets were staked Ethereum (ETH), Ethena’s sUSDE, and wrapped USDC. These were swiftly converted to ETH through the Li.Fi protocol.

The hacker initiated the attack by transferring 10 ETH (worth about $25,000) to an address via Tornado Cash, a crypto mixer used to obscure transactions. Within 12 hours, $7 million—26% of the total stolen amount—was laundered through Tornado Cash. The attacker has continued to move stolen assets through various Tornado Cash addresses, making it challenging to track the funds.

#PeckShieldAlert @Penpiexyz_io exploiter-labeled address 0x2f2d...1C39 (Balance: 7.1K $ETH) has moved 1K $ETH (worth ~$2.4M) to the related laundering address 0xD440...6cC3 (Laundering)
The laundering address 0xD440...6cC3 has transferred another 100 $ETH to #TornadoCash pic.twitter.com/MW8RUPKrim
— PeckShieldAlert (@PeckShieldAlert) September 4, 2024

Penpie's native token (PNP) suffered a significant drop, falling by 40% post-attack, while Pendle's token (PENDLE) saw an 8% decline before partially recovering. In response, Penpie promptly paused all contracts to prevent further asset loss.

Pendle, though not directly compromised, also suspended contracts temporarily to protect users and collaborate with Penpie. This decisive action helped save $105 million worth of funds on Pendle from further potential loss.

Post Mortem

Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.

Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK
— Pendle (@pendle_fi) September 4, 2024

As of September 4, 2024, Pendle resumed normal operations after thorough checks, while Penpie remains paused as it assesses the damage and mitigates future risks. Security experts from Seal 911 have been engaged to bolster defenses.

We have prepared a detailed Post-Mortem Report outlining our efforts over the past 24 hours to address the security breach at @Penpiexyz_io, including a thorough analysis of the situation.

We remain committed to transparency and the recovery of funds.

Details:… pic.twitter.com/wZ8GU73BQ8
— Penpie (@Penpiexyz_io) September 4, 2024

The Penpie hack underscores a troubling trend in 2024, where crypto hacks have surged. By August, over $313 million in crypto assets had been stolen, reflecting a rise in DeFi vulnerabilities.

A report from Immunefi reveals a staggering $1.2 billion lost across 154 incidents this year, marking a 15.5% increase compared to 2023. North Korean hackers have notably intensified their activities, with the FBI warning on September 3 about targeted attacks on DeFi and crypto sector employees.

Recent months have seen other significant breaches, including a $238 million Bitcoin theft and a $55 million DAI hack in August 2024, as well as a $234.9 million hack at WazirX in July. These incidents highlight the escalating risks facing crypto platforms and the urgent need for enhanced security measures.

This article has been refined and enhanced by ChatGPT.