Decentralized finance (DeFi) protocol Penpie recently fell victim to an exploit that stole millions of dollars worth of multiple crypto assets. Pendle, the protocol on which Penpie is based, addressed the incident in a postmortem, revealing that it had prevented additional losses worth over $100 million in user funds.
Hacker Steals Millions From DeFi Protocol
On Tuesday, DeFi project Penpie, an independent Pendle-based yield optimizer, saw over $20 million in funds drained from the protocol. According to reports, the malicious actor exploited a vulnerability in its reward distribution mechanism and stole several crypto assets, including Ethena Staked USDe (sUSDe), wrapped USDC, and staked Ether (ETH).
According to security firm PeckShield, the exploit used a “malicious marketplace” contract that inflated staking balances to claim unjustified rewards. Pendle confirmed that the vulnerability was related to a Penpie-exclusive feature that allowed “permissionless listing of Pendle marketplaces on Penpie.”
Attacker uses "evil market" to exploit Penpie's vulnerability. Source: PeckShield on X
The cryptocurrency theft netted $7.87 million in wstETH, $2.51 million in sUSDe, $3.4 million in agETH, $2.22 million in rswETH, and four other Pendle-related yield tokens. Following the exploit, the hacker exchanged the crypto assets for 11,113 ETH using the Li.fi protocol.
The stolen funds, worth $27.3 million, were then transferred to the cryptocurrency mixer Tornado Cash. According to the report, the operator sent more than 3,000 ETH, or about $7.2 million, to the mixer on Wednesday morning.
The Penpie team sent a message to the attacker, asking them to resolve the incident “amicably.” The protocol acknowledged the project’s vulnerability and the exploit’s role in bringing it to light, offering a white hat bounty for the safe return of the funds.
Additionally, they offered the attacker the opportunity to “move to a white hat role, where your skills will be recognized and rewarded.” The team assured that the hacker’s identity would remain confidential and that they would not take any legal action against him.
As of this writing, there is no report of a resolution between the operator and the protocol team.
Post-mortem: rapid response prevents further losses
On Wednesday morning, the Pendle team shared a post-mortem detailing the incident. In the X post, the DeFi protocol explained that the project’s effective response prevented further losses to Penpie’s funds.
Pendle said his “real-time internal monitoring system” immediately detected suspicious activity, as the contract was funded with 10 ETH from Tornado Cash just hours before the heist.
Timeline of the attack and Pendle's response. Source: Pendle on X
At the time of the first attack, the parties involved were aware of the red flag and quickly mobilized to protect the project’s ecosystem from further attacks. Twenty minutes after the exploit, the team suspended all contracts on Pendle, which apparently prevented further losses and protected $105 million worth of Penpie crypto assets.
The DeFi protocol also reached out to other Pendle-based projects, such as Equilibria and StakeDAO, to check if they were under attack and assess the situation. After investigating, the team determined that the Pencosystem was safe and that the attack was specific to Penpie before resuming operations:
A security breach targeting Penpie resulted in a loss of funds. In response, Pendle quickly suspended our contracts, protecting approximately $105 million that could have been further diverted from Penpie. Through coordinated efforts by multiple parties, additional breaches have been mitigated and Pendle contracts have now been reactivated. Normal operations have resumed.
Ultimately, the Pendle team assured users that their funds were never at risk and that they were not affected by the exploit.
Ethereum (ETH) is trading at $2,472 in the weekly chart. Source: ETHUSDT on TradingView
Featured image from Unsplash.com, chart from TradingView.com
