DeFiPie Nested Borrows
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The DeFiPie smart contract allowed custom smart contracts to be added, which enabled a re-entrancy attack.
The issue was subsequently fixed. DeFiPie is planning to reimburse users and rebrand to a new name - pieLABS.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11]
About DeFiPie
"DeFiPie (PIE) [is a] lending protocol on the Ethereum and Binance smart chain." "DeFiPie combines some of the best features of money market protocols, while offering its own unique features, enabling users to enjoy the promises of Decentralized Finance." "DeFiPie combines the best aspects of many Decentralized Finance (DeFi) applications to create the ultimate DeFi experience. Users can create custom liquidity pools, engage in the DAO and governance, use the PIE token to borrow funds, and begin earning annual percentage yields over 100%."
"Lenders and borrowers can lend or borrow crypto assets in a decentralized manner without passing a registration, doing a KYC and trusting a third party. Investors, traders, and speculators can offer their idle capitals as custom pools with a fixed rate for lending. Liquidity Provider can provide assets to existing pools and farm the Governance Token PIE with an annual percentage yield of up to 150%. Users can also stake PoS-based assets in existing pools to earn staking rewards according to the underlying protocols."
"The DeFiPIE protocol is a series of interest rate pools running on a variety of blockchains. When users and applications deposit their assets to the DeFIPIE Protocol, they begin earning a variable interest rate instantly. Interest accrues every block (for Ethereum ~13 seconds, for Binance Smart Chain ~3 seconds), and users can withdraw their principal plus interest anytime."
"When users deposit assets, they receive pTokens from DeFiPIE in exchange. pTokens are ERC20 tokens that can be redeemed for their underlying assets at any time. As interest accrues to the assets deposited, pTokens are redeemable at an exchange rate (relative to the underlying asset) that constantly increases over time, based on the rate of interest earned by the underlying asset."
"On the night of July 12–13, under cover of night, [an] attacker was able to withdraw almost all available liquidity from the protocol in ETH and BSC networks."
"The evil pTokens allow for nested borrows." "The main feature of the DeFiPIE protocol was that anyone can create new pools for any token. It was this feature that allowed the hacker to create a pool for the malicious token." The attacker "created a token contract (X token) with a modified transfer function. (X1, X2). He [then] created pools for X tokens and deposited liquidity. He provided real collateral (USDT, DAI, USDC, etc). He borrowed X tokens and real token (PIE and other) and with modified transfer function in X token he could borrow more than he provided collateral. After that[,] from his second account[,] he liquidated loans of X tokens in the first account thereby return[ing] the collateral."
The team "tweeted that its application was hacked." "According to CoinGecko data, PIE tokens [fell] by more than 66% in 24 hours."
"The team [started] working with security auditing companies to find a solution. It [was] recommended that all liquidity providers extract all from the application. fluidity. Currently holding assets on the DeFiPie application is not safe." "Right now, we have created governance proposals in all networks to set pause guardian, after which we will pause the possibility of liquidations and borrowing. This will avoid re-attacking."
"[W]e’ll be creating a new token." "Old $PIE tokens won’t be accepted anymore." "[A]ll $PIE holders have to deposit old $PIE tokens to the DeFiPie application and receive pPIE tokens in exchange." "Those who will have pPIE tokens will receive new locked $PIE tokens (we’ll announce the address of the new smart contract a bit later). DeFiPie team will create custom smart contracts, where you have to deposit (stake) your pPIE tokens and only in this case you’ll able to receive new $PIE tokens. We won’t support exchanges or cold wallets with old $PIE tokens. You’ll receive new $PIE tokens only if you’ll deposit pPIE tokens into a special smart contract developed by the DeFiPie team."
"We’ll try to do our best for all investors and partners, but unfortunately we can’t compensate all amounts of money right now." "Investors and partners, who were ready to convert their holdings to the price a day before the hack (12 July) will be in #1 queue. They’ll be able to receive a 25% APY bonus on their investment amount. You’ll able to receive compensation on your native investment without any APY, but you’ll be in #2 queue."
"We will not say that everything was broken, and now we plan to work in the future and continue to rebuild our product — we have to find new way, change something and provide more value than previously expected."
"For the past few weeks, we’ve been hard at work on next steps and plans for DeFiPie and a solution has finally come! We’re ready to present a rebranding program for DeFiPie, and our future plans and vision! So, read and chill!"
"DeFiPie is going to rebrand its name — DeFiPie is going to be called pieLABS — the first laboratory of decentralized finances!" "pieLABS will be the principal company under the DeFiPie project. From today, DeFiPie is only one part of a more complex product of the pieLABS ecosystem." "All-in-one does not just mean the DeFi and NFT market. We’re going to operate like crypto bank!"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 12th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Re-entrancy attacks are a common mistake that can exist in smart contract hot wallets. They may be detectable through the right security audit.
In order to be more certain of security, offline cold storage and a proper multi-sig is best.
References
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Hacking Investigation (Aug 11, 2021)
- ↑ @peckshield Twitter (Aug 11, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Aug 19, 2021)
- ↑ DeFiPie price, PIE chart, market cap, and info | CoinGecko (Aug 19, 2021)
- ↑ Getting Started - DeFiPIE (Aug 19, 2021)
- ↑ Defipie Compensation Plan Next Steps (Aug 19, 2021)
- ↑ Defipie Rebranding Announcement (Aug 19, 2021)
- ↑ DeFiPie Gets Hacked, Working to Solve Issue with Help From PeckShield (Aug 19, 2021)
- ↑ @defipiepie Twitter (Aug 19, 2021)