Penpie Protocol faced a substantial setback on the Pendle Network as it was exploited for $27 million on September 3. The breach exploited a weakness in Penpie’s smart contracts, enabling a bad actor to manipulate the system.
On September 4, the blockchain security company Hacken’s investigation revealed that the attacker exploited a vulnerability by using fake tokens in a pool. By generating fake versions of Pendle’s yield-bearing tokens, Standardized Yield (SY), the attacker fooled Penpie’s reward system and claimed legitimate yield.
The attack involved three rapid transactions that led to significant losses. The exploiter made off with various tokens, including 695 Restaked Swell ETH (rswETH), 4,101 Kelp Gain (agETH), 2,723 Wrapped Staked ETH (wstETH), and 2.52 million Staked Ethena USD (sUSDe).
Through the reentrancy flaw in Penpie’s contract, the attacker could manipulate the protocol’s operations and siphon funds. Fortunately, Pendle acted swiftly by detecting the suspicious transactions and halting its contracts, minimizing further damages.
After converting the stolen tokens into Ethereum and transferring a portion through a mixer service, the exploiter now holds 7,113.27 ETH. The Penpie team has engaged with the perpetrator via on-chain messages, indicating a willingness to discuss a reward for returning the misappropriated funds, thereby aiming to avoid legal recourse.
This incident stands as a stark reminder for decentralized finance projects to emphasize security protocols and swiftly address vulnerabilities to shield user assets and uphold confidence in the decentralized financial landscape.
