Penpie Yield Optimizer 遭黑客攻击后，Pendle 避免 1.05 亿美元资金流失

在 Penpie（Pendle 生态系统中的收益优化器）遭受 2700 万美元的黑客攻击后，DeFi 协议 Pendle 成功保护了约 1.05 亿美元免遭潜在流失。

DeFi protocol Pendle stepped in to safeguard approximately $105 million from potential drainage following a $27 million hack on Penpie, a yield optimizer within the Pendle ecosystem. The quick response by Pendle’s team ensured the security of the funds under their control.

在 Penpie（Pendle 生态系统中的收益优化器）遭受 2700 万美元的黑客攻击后，DeFi 协议 Pendle 介入，以保护约 1.05 亿美元免遭潜在流失。 Pendle团队的快速反应保证了他们掌控的资金安全。

Incident Overview

事件概述

On Tuesday, an attacker breached Penpie by exploiting a vulnerability in its protocol and stealing almost $27.3 million. These looted assets were then converted to 11,109 ETH, according to tracking platform Lookonchain.

周二，攻击者利用 Penpie 协议中的漏洞入侵了 Penpie，窃取了近 2730 万美元。据追踪平台 Lookonchain 称，这些被掠夺的资产随后被转换为 11,109 ETH。

However, Pendle swiftly identified the issue and took steps to ensure that no funds in Pendle contracts were at risk, preventing further losses.

然而，Pendle 很快发现了问题，并采取措施确保 Pendle 合约中的资金不存在风险，防止进一步损失。

A post-mortem report by Pendle on Wednesday morning detailed the sequence of events, highlighting that at no point were any funds in Pendle contracts at risk of being drained.

Pendle 周三上午的一份事后报告详细介绍了事件的顺序，强调 Pendle 合约中的任何资金在任何时候都不存在被耗尽的风险。

“Multiple parties managed to respond to the breach in a way that prevented further losses and minimized the impact of the attack,” the project stated, adding that everything was “up and running smoothly” after the Pendle contract pause was lifted.

该项目表示：“多方设法以防止进一步损失并将攻击影响降至最低的方式应对违规行为。”并补充说，在 Pendle 合约暂停解除后，一切都“顺利启动并运行”。

Post MortemEarlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.

今天早些时候，针对 Penpie 的安全漏洞导致部分资金损失。作为回应，Pendle 立即暂停了我们的合同，有效地保障了大约 1.05 亿美元的安全，而这些资金可能会进一步从 Penpie 中流失。

Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK

感谢多方的协调努力，… https://t.co/KJd4SIRxPK

Blockchain security firm PeckShield later identified the root cause of the attack as an “evil market” — a malicious contract that was introduced into Penpie’s system.

区块链安全公司 PeckShield 后来将攻击的根本原因确定为“邪恶市场”——引入 Penpie 系统的恶意合约。

This contract manipulated Penpie’s staking balances to allow the attacker to claim unearned rewards. The vulnerability that was exploited is linked to a feature of Penpie that allows for permissionless registration of Pendle markets.

该合约操纵了 Penpie 的质押余额，使攻击者能够索取不劳而获的奖励。所利用的漏洞与 Penpie 的一项功能相关，该功能允许无需许可地注册 Pendle 市场。

However, this vulnerability enabled the attacker to manipulate the system. Pendle has an internal monitoring system that alerted the team to the unusual activity. They noticed that the attacker’s contract was funded by Tornado Cash, a privacy coin that has been used in wash trading on the blockchain.

然而，此漏洞使攻击者能够操纵系统。 Pendle 有一个内部监控系统，可以向团队发出异常活动的警报。他们注意到攻击者的合约是由 Tornado Cash 资助的，Tornado Cash 是一种隐私币，已用于区块链上的清洗交易。

Impact on Tokens, Penpie’s Response

Penpie 的回应对代币的影响

The native PNP token of Penpie dropped over 31% after the attack, according to CoinGecko. The native token of Pendle was also down, showing a decrease of around 9% in the last 24 hours.

根据 CoinGecko 的数据，Penpie 的原生 PNP 代币在攻击后下跌了 31% 以上。 Pendle的原生代币也出现了下跌，在过去24小时内下跌了约9%。

Meanwhile, Penpie has paused its operations and claims to be open to discussions with the hacker. The project suggested a possible solution where the attacker would receive a percentage of the stolen funds as a bounty in exchange for returning the remaining funds, without facing prosecution or having their identity revealed.

与此同时，Penpie 已暂停其运营，并声称愿意与黑客进行讨论。该项目提出了一种可能的解决方案，攻击者将获得一定比例的被盗资金作为赏金，以换取返还剩余资金，而不会面临起诉或身份泄露。

To the hacker: We acknowledge your exploit of our protocol and believe there’s potential for a positive resolution that benefits all parties.

致黑客：我们承认您对我们协议的利用，并相信有可能达成一个对各方都有利的积极解决方案。

Penpie is a community-driven project, and these funds mean a lot to our users. We are willing to negotiate a bounty for the safe return of…

Penpie 是一个社区驱动的项目，这些资金对我们的用户意义重大。我们愿意协商悬赏金，以确保……的安全返回。

As Pendle resumes normal operations, the focus is on maintaining the safety and security of the platform. The incident highlights the vulnerability of DeFi protocols and the importance of robust security measures to protect user funds.

随着 Pendle 恢复正常运营，重点是维护平台的安全和安保。该事件凸显了 DeFi 协议的脆弱性以及强有力的安全措施保护用户资金的重要性。