Pendle Safeguards $105M From Draining After Penpie Yield Optimizer Hack

DeFi protocol Pendle successfully safeguarded approximately $105 million from potential drainage following a $27 million hack on Penpie, a yield optimizer within the Pendle ecosystem.

DeFi protocol Pendle stepped in to safeguard approximately $105 million from potential drainage following a $27 million hack on Penpie, a yield optimizer within the Pendle ecosystem. The quick response by Pendle’s team ensured the security of the funds under their control.

Incident Overview

On Tuesday, an attacker breached Penpie by exploiting a vulnerability in its protocol and stealing almost $27.3 million. These looted assets were then converted to 11,109 ETH, according to tracking platform Lookonchain.

However, Pendle swiftly identified the issue and took steps to ensure that no funds in Pendle contracts were at risk, preventing further losses.

A post-mortem report by Pendle on Wednesday morning detailed the sequence of events, highlighting that at no point were any funds in Pendle contracts at risk of being drained.

“Multiple parties managed to respond to the breach in a way that prevented further losses and minimized the impact of the attack,” the project stated, adding that everything was “up and running smoothly” after the Pendle contract pause was lifted.

Post MortemEarlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.

Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK

Blockchain security firm PeckShield later identified the root cause of the attack as an “evil market” — a malicious contract that was introduced into Penpie’s system.

This contract manipulated Penpie’s staking balances to allow the attacker to claim unearned rewards. The vulnerability that was exploited is linked to a feature of Penpie that allows for permissionless registration of Pendle markets.

However, this vulnerability enabled the attacker to manipulate the system. Pendle has an internal monitoring system that alerted the team to the unusual activity. They noticed that the attacker’s contract was funded by Tornado Cash, a privacy coin that has been used in wash trading on the blockchain.

Impact on Tokens, Penpie’s Response

The native PNP token of Penpie dropped over 31% after the attack, according to CoinGecko. The native token of Pendle was also down, showing a decrease of around 9% in the last 24 hours.

Meanwhile, Penpie has paused its operations and claims to be open to discussions with the hacker. The project suggested a possible solution where the attacker would receive a percentage of the stolen funds as a bounty in exchange for returning the remaining funds, without facing prosecution or having their identity revealed.

To the hacker: We acknowledge your exploit of our protocol and believe there’s potential for a positive resolution that benefits all parties.

Penpie is a community-driven project, and these funds mean a lot to our users. We are willing to negotiate a bounty for the safe return of…

As Pendle resumes normal operations, the focus is on maintaining the safety and security of the platform. The incident highlights the vulnerability of DeFi protocols and the importance of robust security measures to protect user funds.