Equilibria Finance Reward Mechanism stk-ePendle Balance Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:43, 27 August 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/equilibriafinancerewardmechanismstkependlebalancehack.php}} {{Unattributed Sources}} thumb|Equilibria FinanceEquilibria Finance, a DeFi platform built around the Pendle Finance ecosystem, experienced an exploit in its Ethereum auto-compounder due to a misconfigured contract that allowed reward farming through repeated transfers. The attacker drained approx...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Equilibria Finance

Equilibria Finance, a DeFi platform built around the Pendle Finance ecosystem, experienced an exploit in its Ethereum auto-compounder due to a misconfigured contract that allowed reward farming through repeated transfers. The attacker drained approximately 13.36 ETH in unclaimed rewards, but no user funds or core liquidity positions were affected. The team responded quickly by pausing protocol functions, containing the incident, and has since implemented fixes, committed to compensating affected users, and announced stricter deployment procedures to prevent future vulnerabilities.[1][2][3][4][5][6][7][8][9][10]

About Equilibria Finance

Equilibria Finance is a DeFi platform designed to help users maximize their yield potential, inspired by the dynamic motion of a pendulum at equilibrium. The project is purpose-built for the Pendle Finance ecosystem and caters specifically to $PENDLE holders and liquidity providers. Founded by experienced DeFi professionals, Equilibria provides a streamlined interface for users to amplify their earnings through smart yield strategies.

The platform integrates with Pendle’s veToken/boosted yield model by offering a liquid version of vePENDLE called ePENDLE. This allows $PENDLE holders to benefit from staking rewards and other incentives while maintaining liquidity, as ePENDLE can be traded or swapped back to PENDLE. Meanwhile, LPs who don’t hold vePENDLE can still enjoy boosted yields by routing their positions through Equilibria.

Equilibria’s goal is to extend beyond Pendle over time, bringing its yield-optimizing infrastructure to other protocols. With community and partner support, the platform aims to scale its ecosystem while continuing to deliver innovative solutions for DeFi participants.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Equilibria Finance experienced an exploit in its Ethereum auto-compounder caused by a misconfigured contract that allowed repeated reward claims through transferable stk-ePENDLE tokens.

Key Event Timeline - Equilibria Finance Reward Mechanism stk-ePendle Balance Hack
Date Event Description
August 23rd, 2025 5:20:59 AM MDT Equilibria Finance Attack Transaction The Equilibria Finance protocol suffers from an attack.
August 23rd, 2025 6:23:00 AM MDT Issue Publicly Reported Initially Equilibria Finance reported an issue with its ePENDLE Balancer vault and assured users that all Pendle markets and LP positions remain safe. As a precaution, the protocol was automatically paused, and the team began investigating. A full incident report was promised to follow.
August 23rd, 2025 10:48:00 AM MDT Detailed Incident Tweet Posted Equilibria Finance publicly confirmed an exploit affecting its Ethereum ePENDLE auto-compounder, resulting in the loss of ~13.36 ETH from unclaimed rewards. They emphasized that no user funds or Pendle market positions were impacted. Protocol functions were paused immediately, the root cause was identified, and fixes are underway. Compensation for affected rewards and stricter deployment processes were also announced.
August 23rd, 2025 9:19:00 PM MDT TenArmor Posts Tweet TenArmor posts a tweet about the situation with the attack transaction and a tweet by the Equilibria Finance team.
August 23rd, 2025 10:33:00 PM MDT Functions Are Now Unpaused The Equilibria Finance team announces that all functions have now been unpaused "and are operating normally now".

Technical Details

According to the technical description provided by the Equilibria Finance team:

"The vulnerability stemmed from the Ethereum mainnet version of stk-ePENDLE not being configured as non-transferable. An attacker used flash loans through Balancer to acquire ePENDLE, stake it into stk-ePENDLE, and then repeatedly transfer stk-ePENDLE across multiple addresses. Each transfer triggered a reward claim, which harvested the unclaimed rewards from the contract."

Total Amount Lost

The loss was reported as "approximately 13.36 ETH".

The total amount lost has been estimated at $63,000 USD.

Immediate Reactions

Equilibria Finance reports that they "automatically paused all protocol functions" following "the very first transaction of the attack".

Ultimate Outcome

The Equilibria Finance team enabled functions shortly after the exploit was contained and they had verified "no scenario impacted Pendle markets or LPs". They announced that "[t]he Ethereum stk-ePENDLE contract will be updated to match the secure implementation already active on other chains" and that "[t]he Equilibria treasury will compensate users who missed out on ETH rewards as a result of this incident".

Total Amount Recovered

Equilibria Finance has announced that they will be covering all rewards which were intended to be paid out to users of the protocol.

The total amount recovered is unknown.

Ongoing Developments

To help address future concerns and risks, Equilibria announced they will be adopting "stricter procedures for all contract deployments and updates on every supported network".

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected that #Equilibria Finance @Equilibriafi on #ETH was attacked, resulting in an approximately loss of $62.5K. The root cause lies in the reward mechanism of the stk-ePendle contract, which calculates rewards for each account based on its stk-ePendle balance, making it easily exploitable by transferring stk-ePendle across multiple accounts." - Twitter/X (Accessed Aug 27, 2025)
  2. Equilibria Finance Attack Transaction - Etherscan (Accessed Aug 27, 2025)
  3. The Equilibria Finance Exploiter - Etherscan (Accessed Aug 27, 2025)
  4. Equilibria Finance - "Earlier today, we identified an exploit in the Ethereum ePENDLE auto-compounder contract, which resulted in the loss of approximately 13.36 ETH. Importantly, no user funds were affected—including all Pendle Market LP positions and ePENDLE balances. The incident was contained to the auto-compounder’s accumulated ETH rewards, which had remained unclaimed for over a year." - Twitter/X (Accessed Aug 27, 2025)
  5. Equilibria Finance - "All functions have been fully unpaused and are operating normally now." - Twitter/X (Accessed Aug 27, 2025)
  6. Equilibria Finance - "Hey Equilibrians, we’ve encountered an issue with our ePENDLE Balancer vault. All Pendle Markets and LPs are safe, and our team is on top of it." - Twitter/X (Accessed Aug 27, 2025)
  7. Equilibria Finance Link Tree (Accessed Aug 27, 2025)
  8. Equilibria Finance Homepage (Accessed Aug 27, 2025)
  9. Equilibria Finance Documentation (Accessed Aug 27, 2025)
  10. Equilibria Finance Twitter/X (Accessed Aug 27, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Equilibria_Finance_Reward_Mechanism_stk-ePendle_Balance_Hack&oldid=6913"