Photo credit: Freepik
Penpie — a DeFi protocol built on Pendle — experienced a security breach allowing the exploiter to drain crypto assets like wstETH, agETH, sUSDe, rswETH, and more, and convert them into $27.3 million worth of Ether (ETH).
After the attack on Sept. 3, the hacker laundered more than $11 million of ETH to Tornado Cash, according to data from Etherscan. At the time of writing, the hacker has over 8,000 ETH, valued at over $19.2 million, in its account.
According to Pendle, the attacker had deployed the first contract to be used for the attack, which was detected as a “suspicious contract” by the team. While the team was still on alert, the first attack happened on Penpie on Sept. 3 at 18:23 UTC.
Two minutes after the attack, Pendle claimed their team was mobilized to “defend Pendle and Pencosystem against any subsequent attacks.” Pendle also asked for help from the security platform “SEAL 911” to assess the situation.
After the attack, Pendle, a DeFi protocol, conducted a post-mortem and claimed that they had paused contracts, “effectively safeguarding ~$105M that could have been further drained from Penpie.”
Upon further analysis, the attack was due to a vulnerability found to be linked to a unique feature that allowed permissionless listing of Pendle markets on Penpie. After ensuring the assets and other protocols were not exposed to the attack, Pendle contracts were “safely unpaused, and normal operations resumed.”
In an attempt to retrieve the funds, Penpie reached out to the hacker through an open letter on the X platform, expressing a willingness to negotiate a bounty. Penpie also promised the hacker that no legal action would be taken, their identity would remain confidential, and they would receive a percentage of the funds as a bounty reward.