Decentralized finance (DeFi) platform Penpie, built on the Pendle network, suffered a major exploit on September 3, 2024.
According to real-time on-chain monitoring system Cyvers Alert, the hack resulted in the loss of at least $26 million in various synthetic and cloaked crypto assets.
Details of the attack emerge
The security monitoring company stated that the attack on Penpie was initiated by a smart contract that had been initially funded with 10 ether (ETH) through Tornado Cash.
The affected protocol later acknowledged the breach, saying it had experienced a “security compromise.” The team behind the project also informed users that all transactions had stopped and that they were working to fix the problem.
Pendle, which operates the drained platform, also took to social media, claiming it had identified the attack. It also assured users that after conducting “thorough investigations”, it had concluded that their own funds were safe. However, as a precaution, the network also paused all contracts and offered assistance to the Penpie team to help resolve the incident.
Defensive and post-mortem measures
The platform later released an initial post-mortem report, detailing the timeline of events that occurred before, during and after the incident.
In the report, Pendle’s team disclosed that their system flagged the contract suspected of being behind the theft immediately after it was deployed, as it had been funded with Tornado Cash.
They immediately went on high alert, examining the contract’s potential security threat against the network. It was then that the Penpie exploit occurred, prompting the Pendle team to initiate defensive measures to protect the network and its wider ecosystem against any tracking attacks.
The protocol also enlisted the help of other cybersecurity bodies, including Seal 911, to develop strategies to further mitigate risks. However, after further checks, Pendle reactivated its contracts at 0050 UTC and resumed normal operations.
For its part, Penpie has contacted the unknown hacker and advocated for a “positive resolution” of the incident.
In its opening, the DeFi project indicated its willingness to negotiate a reward with the author that would allow the safe return of stolen funds. He further pledged not to take any legal action against the exploiter if he accepted the offer which would see them take on a white hat role. He also assured them that his identity would not be revealed.
However, at the time of going to press, it was unclear whether the attacker had accepted Penpie’s offer or if he had somehow contacted the protocol team. In the meantime, its operations remain paused and the team is working to restore its interface to ensure users can access their funds.
SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).
2024 LIMITED OFFER on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!