Yesterday, Penpie, a farming protocol built on the Pendle Protocol, recently fell victim to a devastating reentrancy attack that resulted in a massive loss of approximately $27 million. The attack exploited vulnerabilities in the PendleStaking contract, which lacked crucial security measures such as reentrancy guards. This failure allowed the attacker to manipulate markets, harvest rewards maliciously, and withdraw significant amounts of value.
The exploit underscores the critical need for robust security practices in decentralized finance (DeFi) protocols.
Penpie’s $27M exploit was triggered by a reentrancy vulnerability within its PendleStaking implementation. An attacker leveraged a counterfeit SY token and manipulated high-value PENDLE-LPT tokens to exploit the system. The attack involved a series of strategic moves, including flash loans and token manipulation, to siphon off substantial amounts of valuable tokens. The lack of reentrancy guards and proper market validation made this exploit possible.
0x4476b
. Despite these tokens being worthless, they set up the attacker for further exploitation.Market Magic: Armed with high-value PENDLE-LPT tokens (0x6010_PENDLE-LPT
and 0x038c_PENDLE-LPT
), the attacker created a new market on Penpie. This market, despite being fraudulent, was accepted and recognized by the protocol due to inadequate validation.
Attack Prep Transaction: https://app.blocksec.com/explorer/tx/eth/0x7e7f9548f301d3dd863eac94e6190cb742ab6aa9d7730549ff743bf84cbd21d1
batchHarvestMarketRewards()
function, which calculated rewards based on the token balances before and after calling redeemRewards()
.redeemRewards()
function, which called claimRewards()
of the specific market, the attacker exploited the contract’s reentrancy vulnerability. The lack of proper validation allowed them to re-enter the contract via the depositMarket()
function repeatedly.0x2f2d...1C39
.Attacker address:
0x7a2f4d625fb21f5e51562ce8dc2e722e12a61d1b (ethereum and arbitrum)
Exploit contract:
0xcde2cd6aeaaf0238f4ce33295be13704e4a97de2 (ethereum)
0x4bc9815b859c8172cee1ab2cd372fd0eb00eb487 (arbitrum)
PendleStaking contract: 0xFF51c6b493c1E4Df4e491865352353EAdff0f9f8 (ethereum)
Attack transactions:
0x67c5400da117b906f8c0fc5f5149e4ea10ed6358cd9ea2ec0ed8f559d757b7df (arbitrum)
0x56e09abb35ff12271fdb38ff8a23e4d4a7396844426a94c4d3af2e8b7a0a2813 (ethereum)
0x42b2ec27c732100dd9037c76da415e10329ea41598de453bb0c0c9ea7ce0d8e5 (ethereum)
0x663b55a1ee992603f7636ef23ff5cf19d3b261ab81494d06e218c86482df5342 (ethereum)
The Penpie exploit can be traced back to the absence of a reentrancy guard in the PendleStaking contract. This crucial security feature was missing, leaving the contract vulnerable to malicious reentrant calls. The protocol’s failure to validate the trustworthiness of the markets argument exacerbated the issue, allowing attackers to exploit the system through market manipulation. By creating a malicious market, attackers were able to inflate staking balances and claim rewards unjustly.
The $27M exploit of the Penpie protocol underscores a crucial lesson in the importance of robust security practices in decentralized finance (DeFi). Reentrancy attacks, like the one that exploited Penpie, highlight how vulnerabilities in smart contracts can lead to catastrophic financial losses if not properly mitigated.
Reentrancy attacks occur when a contract’s external call allows a malicious actor to re-enter the contract in an unintended state, often leading to unauthorized actions or fund transfers. To prevent such attacks, here are several key strategies:
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny
from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Their expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.
In the world of DeFi, where the stakes are high, investing in top-notch security audits is not just a precaution—it's a necessity.
Secure your protocols, protect your assets, and build with confidence knowing that your security is in expert hands.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!