$200 000 USD
DESCRIPTION OF EVENTS
"Pinecone Finance is the next generation of yield optimizer protocol on BSC with the aim of making yield farming more rewarding, sustainable and effortless." "Yield farming is a DeFi concept where users stake their crypto assets in order to receive passive income, which has become in favor these days, especially in the time of crypto market uncertainty." "Nevertheless there are many issues still plaguing yield farmers including the lack of sustainability, poor user experience, and most importantly, security risks especially flash loan attacks which has already caused hundreds of millions of losses for projects and investors."
"Pinecone focuses only on single asset farming in order to avoid the risks associated with farming via LPs. What is unique about Pinecone is that, for each crypto asset, it will offer multiple farming strategies with different risk/return profiles, so that farmers can select the most suitable ones based on their own preferences, and easily switch between different vaults anytime they want."
"No matter how complicated a flash loan attack is, it has to be using smart contract to execute large number of transactions in one block. Pinecone’s flash loan attack defending system works in two levels: (1) It restricts the direct access from 3rd party smart contract unless they go through the white list approval process including stringent security checks. (2) It sets max transaction limit per block to ensure no flash loan attackers can profit from dumping large amount of PCT to profit within one block."
"PCT holders can enjoy sustainable income from various sources including performance fee, transfer tax and we also offer PCT stakers PCT rewards per block."
"Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.5 million."
"@PineconeFinance was exploited starting 2021-08-18 11:41:19 AM UTC with a flurry of deposits and withdraws, leading to the loss of ~3.5M PCTs (~$200K)." "The root cause is due to a false deposit bug in the staking logic of @PineconeFinance. In particular, the affected vault counts as valid deposits even no tokens are actually transferred in."
"[I]n one example hack tx, the hacker has no sufficient PCT balance but stakes 200K PCTs to the vault. However, the tx still succeeds and credits the hacker with 200K valid PCTs staked!" "Overall, three involved hackers collect ~3.5M PCTs and convert to 516.83 BNB (~$200K)."
"PCT token is different from ordinary ERC-20 Token in that it had a built-in burning mechanism. Interaction with smart contracts which often report errors due to incorrect wallet balance and causing transaction failures. In order to avoid this issue, the rollback mechanism which voids the transaction when the wallet balance is insufficient is taken offline. This mechanism, though existed, could not be abused prior to the launch of PCT vault."
"When the Pinecone PCT staking vault went online, the restriction for illegal operations were implemented at front-end, however the hacker bypassed the webpage and directly called the smart contract through EOA. In the end the hacker managed to withdraw greater amount of PCT token than the amount he deposited, because the Smart Contract failed to verify the account balance."
"PCT price plunged from 0.095 to 0.037 within 10 minutes. The project team took quick action to stop PCT pool contract and fixed the issue immediately with PeckShield, a renowned tech auditing firm." "The project team has contacted the Binance team and taken due action to locate the hacker. Peckshield has offered great help to the project team during the post-mortem analysis and will continue to support the project team for further security audit."
"As of 09:30 AM UTC on August 19, the project team and investors held a total of 4.91 million tokens. After discussing with the team, early investors and advisors overnight, everyone decided to overcome the difficulties together and use all tokens to compensate users."
"[T]he project team will make up for all the lost PCT amount by August 21, totaling 3.53 million." "[A]ll the wallet PCT holders counted at 09:30 AM UTC on August 19th will be compensated through daily airdrop, based on the current PCT staking pool yearly APR 542%, daily APR 1.5%, until the deposit function of the PCT staking pool is restored. Due to the complexity of data collection and calculation, the airdrop is scheduled to start on August 21. The specific time will be notified in advance."
"The remaining part will be given out as further compensation through the PCT staking pool, shared by all pool users. This will be implemented after the deposit function of the staking pool back to normal."
"The funds are still parked in three different addresses: 0x4272, 0xfc66, 0x430a. We are actively monitoring these addresses for any movement." "By analyzing the perpetrator’s (hereinafter referred as Mr. X) wallet, the project team managed to track down his hot wallet addresses and transaction records associated with three major CEXs."
"The project team immediately got in touch with the exchanges trying to track Mr. X’s identify, at the same time urge Mr. X to return the fund through the communication on Twitter, Telegram Group and Medium. At 11:30 UTC on August 19, after receiving an e-mail from Mr. X, expressing his willingness to reconcile and return the fund, the founder of Pinecone reached out to Mr. X and had a long conversation. During the communication, Mr. X said that he was actually an investor of the project and even participated in the pre-sale."
"When PCT staking pool went online, he accidentally discovered a loophole and used it to make a profit of nearly 500 BNB. After seeing the attitude, efficiency and sincerity of the project team handling this incident, he decided to return the fund and would love to continue to support the project."
"It was a happy ending eventually and the incident was resolved through mutual understanding and effective communication."
Pinecone Finance offers a new yield farm for staking, where users deposit their funds into a smart contract hot wallet, earning profit by providing market liquidity. There was an exploit which was possible with deflationary tokens, where a hacker was able to gain $200k.
The hacker returned the funds in a subsequent discussion, and the team worked to compensate all affected users for their losses.
HOW COULD THIS HAVE BEEN PREVENTED?
There were no losses in this case since the hacker returned the funds.
The only truly secure storage of assets is an offline multi-sig wallet. Protocols run by known teams could explore options where most funds are in cold storage when not in use. In the future, it's very likely that insurance protocols will reduce some of the risk.
SlowMist Hacked - SlowMist Zone (May 18)
@peckshield Twitter (Aug 22)
@PineconeFinance Twitter (Aug 22)
Post-Mortem of PCT Staking Vault Attack | by PineconeFinance_Official | Medium (Aug 22)
Pinecone Finance (Aug 22)
Pinecone Finance - Multiple Strategy Single Asset Farming (Aug 22)
Contract Address 0x4631d9D8b34f51B82958a19453bdc9eA0C4E49FC | BscScan (Aug 22)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
PCT Staking Pool Attack Compensation Plan | by PineconeFinance_Official | Medium (Sep 20)
Binance Transaction Hash (Txhash) Details | BscScan (Sep 20)