Pike Finance Variable Storage Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Pike Finance is a loan protocol which allows loans to be taken out using collateral on other chains. The smart contract was upgraded after an issue where USDC could be withdrawn without proper validation. The team corrected the vulnerability with an upgrade which allowed all the assets to be drained from their smart contract, due to the contract being not considered to be initialized when memory shifted. The team eventually promised refunds to users, which have yet to be honoured.[1][2][3][4][5]
About Pike Finance
"Universal Liquidity Protocol A next generation money market 一 deposit collateral on chain A, borrow on chain B."
"Pike is a universal liquidity market optimized for native assets." "Pike is a universal liquidity market that enables lending and borrowing using native assets directly on their respective blockchains, eliminating the need for wrapping and cross-chain transfers."
"Pike enables lending and borrowing using native assets directly on their respective blockchains, eliminating the need for wrapping and cross-chain transfers. For example, users can deposit Arbitrum's ARB tokens as collateral on their native Arbitrum chain, while borrowing other assets on a different blockchain." "Pike is enabled by Wormhole Cross-Chain Messaging, Circle’s Cross-Chain Transfer Protocol, and Pyth Data Feeds."
"Pike redefines the user experience for cross-chain lending and borrowing - Our focus on native assets remove the need for assets with suffixes and prefixes." "Seamlessly maximize your yields and leverage Pike’s native cross-chain functionality 一 No longer do you have to constantly bridge your assets to explore opportunities across the ecosystem." "Pike’s hub and spoke architecture is designed to fade into the background 一 Allowing users to realize an interconnected DeFi vision. Utilize a suite of assets from across the ecosystem 一 Ranging from yield bearing stablecoins and LSTs, to LP tokens."
"Wormhole messaging eliminates risks associated with cross-chain bridges and bridged assets 一 reducing attack vectors stemming from pricing oracles."
The Reality
Upgrading the smart contract introduced a vulnerability since the alignment of contract data was shifted.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| April 30th, 2024 4:19:11 PM MDT | Ethereum Attack Transaction | The attack transaction on Ethereum blockchain. |
| May 1st, 2024 1:32:00 AM MDT | Tweet About Incident | Pike Finance puts together a tweet with a high level technical analysis of the exploit. |
| May 2nd, 2024 5:07:49 AM MDT | Path Forward Published | Pike Finance publishes a path forward for both vulnerabilities and how they plan to compensate users. |
Technical Details
"In order to pause the protocol, the spoke contracts were upgraded and there was the inclusion of an additional dependency within the smart contract code.
This dependency introduced new variables which altered the storage layout - in particular, the position of the *initialized* variable.
As a result, the position occupied by the *initialized* variable was taken over by other variables, leading to a misalignment in storage mapping.
This misalignment caused the contract to behave as if it was uninitialized, since the *initialized* variable could no longer be accessed.
As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and as a result, withdraw funds."
Attacker: 0x19066f7431df29a0910d287c8822936bb7d89e23
Attack contract: 0x1da4bc596bfb1087f2f7999b0340fcba03c47fbd
Target contract: 0xfc7599cffea9de127a9f9c748ccb451a34d2f063
Attack Transaction on Optimism: 0x19066f7431df29a0910d287c8822936bb7d89e23
Attack Transaction on Arbitrum Transaction: 0x19066f7431df29A0910d287C8822936Bb7D89E23
Attack Transaction on Ethereum: 0xe2912b8bf34d561983f2ae95f34e33ecc7792a2905a3e317fcc98052bce66431
Total Amount Lost
On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH.
The total amount lost has been estimated at $1,600,000 USD.
Immediate Reactions
The Pike Finance team acknowledge the exploit and published a blog post with the plan forward.
Ultimate Outcome
Ongoing.
Total Amount Recovered
The Pike Finance team published a blog post with the plan forward.
"In the coming days, we will disclose a full list of wallet addresses with active supply and borrow positions prior to the protocol halt as of April 26 08:35 PM UTC. Addresses with a supply position will have a credit balance, and addresses with a borrow position will have a debit balance. We will calculate the Net Balance [Total Value of Supply - Total Value of Borrow] and assess whether liquidation levels have been triggered using asset prices as of April 26 08:35 PM UTC. Addresses with a positive net balance after accounting for liquidation checks will be restituted in full directly to their wallets ($OP via Optimism, $ARB via Arbitrum, $ETH and $USDC via Base)."
"The Community Treasury allocation of $P has been set aside for various usages, however one of these is of course, as an insurance fund.
As a result, we will be using 4% of the total supply of $P (from the Community Treasury allocation) as collateral to borrow the necessary stablecoin funds from the team treasury (around $2M USD across both exploits).
These will then be used to purchase the relevant assets on the open market and reimburse users for what they had within Pike prior to the exploit.
As the protocol generates revenue and launches the $P token, this loan will then be paid back accordingly - transferring the $P tokens used as collateral to the Foundation Treasury.
Once the debt is repaid, the $P will be released back to Insurance pool"
The total amount recovered has been estimated at $1,600,000 USD.
Ongoing Developments
Refunds are still ongoing.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @RektHQ Twitter (May 6, 2024)
- ↑ Rekt - Pike Finance - Rekt (May 6, 2024)
- ↑ Pike | Universal Liquidity Protocol (May 6, 2024)
- ↑ Introduction to Pike | User Docs | Pike (May 6, 2024)
- ↑ Pike: A Path Forward — Pike (May 6, 2024)