In a dramatic turn of events for the decentralized finance (DeFi) ecosystem, Penpie, a yield-boosting platform integrated with Pendle Finance, was exploited on September 3, 2024. An attacker leveraged a sophisticated vulnerability within Penpie, resulting in the theft of 11,113.6 ETH, valued at over $27 million. This exploit targeted both the Ethereum and Arbitrum networks, triggering immediate action from Penpie, Pendle Finance, and multiple security partners to contain the damage and protect user assets.
The Penpie DeFi Hack: A Deep Dive
The Penpie platform, a prominent yield-boosting layer for Pendle Finance, was brought to a standstill when an attacker discovered and exploited a reentrancy vulnerability in the PendleStakingBaseUpg::batchHarvestMarketRewards() function. This flaw allowed the attacker to manipulate reward tokens and their distribution amounts through a fake Pendle market. Here’s a detailed breakdown of the hack:
- Date of Incident: September 3, 2024
- Time of Attack: The attack commenced at 6:23 PM UTC.
- Total Loss: Over 11,113.6 ETH (~$27.35 million) was stolen from Penpie’s pools.
- Networks Affected: Ethereum and Arbitrum networks.
Root Cause Analysis
The root cause of the exploit was a reentrancy vulnerability within Penpie’s smart contract function PendleStakingBaseUpg::batchHarvestMarketRewards(). The attacker created a malicious Pendle Market using a fake SY contract and exploited the function to repeatedly deposit funds sourced from flash loans. This action allowed the attacker to manipulate the reward distribution process, redirecting funds to themselves instead of legitimate depositors.
Timeline of Events
- 5:44 PM – 5:51 PM UTC: The attacker deployed malicious Pendle Market contracts and made initial deposits to prepare for the exploit.
- 6:23 – 6:42 PM UTC: The attacker executed the first attack on Penpie via Ethereum, draining substantial amounts of ETH.
- 6:45 PM UTC: Pendle paused its platform on Ethereum to prevent further exploitation.
- 7:38 PM UTC: Penpie paused all operations on both Ethereum and Arbitrum networks to prevent additional attacks.
- 8:16 PM UTC: The attacker transferred 11,109.62 ETH into a new wallet.
- 11:06 PM UTC: Penpie’s team started the process of restoring the platform’s frontend while coordinating with law enforcement and cybersecurity partners for further action.
Immediate Response and Mitigation
Penpie’s team, alongside Pendle Finance and their partners SEAL 911, Hexagate, and others, quickly responded to the attack by pausing the platform’s operations across all chains, securing around $70 million worth of assets from further risk. They also engaged in real-time tracking of the stolen funds, collaborated with law enforcement, and attempted multiple on-chain communications with the attacker, offering an amicable resolution to recover the stolen funds.
10 Advices to Prevent Similar Attacks in the Future
- Regular Comprehensive Audits: Periodically conduct full-scale audits of smart contracts, especially after new features are added.
- Implement Reentrancy Guards: Ensure that smart contract functions are protected against reentrancy attacks by implementing appropriate guards and checks.
- Real-Time Monitoring and Auto-Pausing: Deploy real-time monitoring tools that can automatically pause suspicious activities, preventing significant losses.
- Utilize Multi-Signature Protocols: Require multiple signatures for critical transactions to prevent unauthorized actions by a single entity.
- Engage Multiple Audit Firms: Employ diverse audit firms to analyze different aspects of smart contracts for thorough security assurance.
- Conduct Regular Penetration Testing: Simulate attacks to identify vulnerabilities and fix them before they can be exploited.
- Implement Rate Limiting and Circuit Breakers: Add rate-limiting mechanisms to restrict the frequency of transactions, preventing exploits through repeated actions.
- Strengthen Governance Models: Ensure that protocol changes and updates go through a robust governance process involving community input and expert analysis.
- Create a Robust Incident Response Plan: Have a well-defined incident response plan in place to react quickly to any potential security breaches.
- Transparency and Communication: Maintain open communication with users and stakeholders during security incidents to build trust and ensure effective crisis management.
Conclusion
The $27 million Penpie DeFi hack serves as a stark reminder of the vulnerabilities that can exist within complex DeFi ecosystems. Despite the immediate response and mitigation efforts, this incident underscores the importance of ongoing vigilance, robust security practices, and community collaboration to safeguard decentralized platforms. Penpie and Pendle Finance’s swift actions post-attack reflect their commitment to security, transparency, and accountability. The lessons learned from this exploit will undoubtedly contribute to strengthening the overall DeFi security landscape.
