Yield protocol Penpie acquired exploited for $27 million on Sept. 3 after a malicious agent explored a vulnerability within the protocol’s good contracts.
Penpie is a yield protocol on Pendle that goals to spice up rewards for customers on the community.
Reentrancy exploited
In a Sept. 4 breakdown, blockchain safety agency Hacken defined that the attacker used a pool with pretend tokens to carry out the heist. The exploiter created worthless variations of Pendle’s yield-bearing tokens, Standardized Yield (SY), and tied them to beneficial property.
The attacker deployed 5 malicious contracts to behave as authentic liquidity swimming pools and trick Penpie’s rewards system, however solely three of them had been used. He then leveraged the pretend SY tokens as tickets to say actual yield.
Three assault transactions had been executed between 6:25 P.M. and 6:42 P.M. UTC. The primary transaction extracted the best quantity, siphoning $15.7 million, adopted by two different transactions that took $5.6 million every out of Penpie’s contract.
The exploiter acquired away with 695 Restaked Swell ETH (rswETH), 4,101 Kelp Acquire (agETH), 2,723 Wrapped Staked ETH (wstETH), and a pair of.52 million Staked Ethena USD (sUSDe).
The remaining two malicious contracts deployed by the exploiter weren’t used within the assault, which was made attainable resulting from a reentrancy vulnerability in Penpie’s contract.
A reentrancy vulnerability happens when a contract must make an exterior name to a different good contract earlier than updating its personal state. Thus, malicious contracts can idiot the protocol by altering data and inputting actions.
Notably, the losses may have been bigger. Pendle recognized the malicious transactions and paused its contracts at 6:45 P.M. UTC, three minutes after the third assault. Hacken highlighted:
“This was essential, because the attacker deployed a fourth malicious contract solely a minute later. Pausing Pendle’s contracts successfully halted the exploit, stopping additional loss.”
The entire batch of tokens was transformed to Ethereum (ETH), amounting to roughly 10,113 ETH. The exploiter transferred 3,000 ETH to the mixer service Twister Money and at present holds 7,113.27 ETH, in response to on-chain knowledge.
The Penpie staff reached out to the exploited through an on-chain message and an X put up acknowledging the hack and claiming to be open to negotiating a bounty in alternate for the funds stolen. Moreover, they promised that no authorized motion can be pursued.