Penpie Yield Optimizer 遭駭客攻擊後，Pendle 避免 1.05 億美元資金流失

在 Penpie（Pendle 生態系統中的收益優化器）遭受 2,700 萬美元的駭客攻擊後，DeFi 協定 Pendle 成功保護了約 1.05 億美元免於潛在流失。

DeFi protocol Pendle stepped in to safeguard approximately $105 million from potential drainage following a $27 million hack on Penpie, a yield optimizer within the Pendle ecosystem. The quick response by Pendle’s team ensured the security of the funds under their control.

在 Penpie（Pendle 生態系統中的收益優化器）遭受 2,700 萬美元的駭客攻擊後，DeFi 協議 Pendle 介入，以保護約 1.05 億美元免遭潛在流失。 Pendle團隊的快速反應保證了他們掌控的資金安全。

Incident Overview

事件概述

On Tuesday, an attacker breached Penpie by exploiting a vulnerability in its protocol and stealing almost $27.3 million. These looted assets were then converted to 11,109 ETH, according to tracking platform Lookonchain.

週二，攻擊者利用 Penpie 協議中的漏洞入侵了 Penpie，並竊取了近 2,730 萬美元。據追蹤平台 Lookonchain 稱，這些被掠奪的資產隨後被轉換為 11,109 ETH。

However, Pendle swiftly identified the issue and took steps to ensure that no funds in Pendle contracts were at risk, preventing further losses.

然而，Pendle 很快就發現了問題，並採取措施確保 Pendle 合約中的資金不存在風險，防止進一步損失。

A post-mortem report by Pendle on Wednesday morning detailed the sequence of events, highlighting that at no point were any funds in Pendle contracts at risk of being drained.

Pendle 週三上午的事後報告詳細介紹了事件的順序，強調 Pendle 合約中的任何資金在任何時候都不存在被耗盡的風險。

“Multiple parties managed to respond to the breach in a way that prevented further losses and minimized the impact of the attack,” the project stated, adding that everything was “up and running smoothly” after the Pendle contract pause was lifted.

該項目表示：「多方設法以防止進一步損失並將攻擊影響降至最低的方式應對違規行為。」並補充說，在 Pendle 合約暫停解除後，一切都「順利啟動並運行」。

Post MortemEarlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.

今天早些時候，針對 Penpie 的安全漏洞導致部分資金損失。作為回應，Pendle 立即暫停了我們的合同，有效地保障了大約 1.05 億美元的安全，而這些資金可能會進一步從 Penpie 中流失。

Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK

感謝多方的協調努力，… https://t.co/KJd4SIRxPK

Blockchain security firm PeckShield later identified the root cause of the attack as an “evil market” — a malicious contract that was introduced into Penpie’s system.

區塊鏈安全公司 PeckShield 後來將攻擊的根本原因確定為「邪惡市場」——引入 Penpie 系統的惡意合約。

This contract manipulated Penpie’s staking balances to allow the attacker to claim unearned rewards. The vulnerability that was exploited is linked to a feature of Penpie that allows for permissionless registration of Pendle markets.

該合約操縱了 Penpie 的質押餘額，使攻擊者能夠要求不勞而獲的獎勵。所利用的漏洞與 Penpie 的一項功能相關，該功能允許無需許可地註冊 Pendle 市場。

However, this vulnerability enabled the attacker to manipulate the system. Pendle has an internal monitoring system that alerted the team to the unusual activity. They noticed that the attacker’s contract was funded by Tornado Cash, a privacy coin that has been used in wash trading on the blockchain.

然而，此漏洞使攻擊者能夠操縱系統。 Pendle 有一個內部監控系統，可以向團隊發出異常活動的警報。他們注意到攻擊者的合約是由 Tornado Cash 資助的，Tornado Cash 是一種隱私幣，已用於區塊鏈上的清洗交易。

Impact on Tokens, Penpie’s Response

Penpie 的回應對代幣的影響

The native PNP token of Penpie dropped over 31% after the attack, according to CoinGecko. The native token of Pendle was also down, showing a decrease of around 9% in the last 24 hours.

根據 CoinGecko 的數據，Penpie 的原生 PNP 代幣在攻擊後下跌了 31% 以上。 Pendle的原生代幣也出現了下跌，在過去24小時內下跌了約9%。

Meanwhile, Penpie has paused its operations and claims to be open to discussions with the hacker. The project suggested a possible solution where the attacker would receive a percentage of the stolen funds as a bounty in exchange for returning the remaining funds, without facing prosecution or having their identity revealed.

同時，Penpie 已暫停其運營，並聲稱願意與駭客進行討論。該項目提出了一種可能的解決方案，攻擊者將獲得一定比例的被盜資金作為賞金，以換取返還剩餘資金，而不會面臨起訴或身份洩露。

To the hacker: We acknowledge your exploit of our protocol and believe there’s potential for a positive resolution that benefits all parties.

致駭客：我們承認您對我們協議的利用，並相信有可能達成對各方都有利的積極解決方案。

Penpie is a community-driven project, and these funds mean a lot to our users. We are willing to negotiate a bounty for the safe return of…

Penpie 是一個由社群驅動的項目，這些資金對我們的用戶意義重大。我們願意協商懸賞金，以確保…的安全返回。

As Pendle resumes normal operations, the focus is on maintaining the safety and security of the platform. The incident highlights the vulnerability of DeFi protocols and the importance of robust security measures to protect user funds.

隨著 Pendle 恢復正常運營，重點是維護平台的安全和安保。這事件凸顯了 DeFi 協議的脆弱性以及強有力的安全措施保護用戶資金的重要性。