Penpie Platform Reward Reentrancy Exploit
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Penpie is a next generation yield farming platform. Unfortunately, during the deployment of their smart contract, a potential reentrancy vulnerability was not caught by 2 auditing firms. At the time, the vulnerability could not be exploited as only approved smart contract could be used, however this was subsequently allowed. At the time of the subsequent allowance, the portion of the smart contract with the vulnerability was not included in the audit. An attacker was able to create a malicious contract which repeatedly obtained the rewards incentive. Penpie attempted to negotiate with the hacker unsuccessfully before offering a 10% bounty for information leading to recovery of the funds. The Penpie protocol reportedly has $105m funds remaining that were not exploited, and plans to relaunch after extensive auditing is completed.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]
About Penpie
"Penpie is a next-generation DeFi platform designed to provide Pendle Finance users with yield and veTokenomics boosting services. Integrated with Pendle Finance, Penpie focuses on locking PENDLE tokens to obtain governance rights and enhanced yield benefits within Pendle Finance. Penpie revolutionizes the way users can optimize rewards for their active participation and monetize their governance power.
Penpie offers users the opportunity to deposit their assets to earn maximized APR % while it allows Pendle Finance voters to cost-effectively acquire voting power and user active engagement rewards at the same time through the PNP token.
Penpie gives PENDLE holders the chance to earn high APR by converting their tokens into mPENDLE. By leveraging the power of Pendle Finance's veTokenomics model, Penpie offers users the opportunity to earn more PENDLE rewards with their PENDLE tokens. Penpie has created mPENDLE, a Penpie version of the PENDLE token, which allows users to earn enhanced PENDLE rewards while enjoying increased flexibility through Penpie. This mechanism gives PENDLE holders the chance to earn high APR% by converting their tokens into mPENDLE at a 1:1 ratio.
When users convert their PENDLE tokens on Penpie, they receive mPENDLE, which enables them to earn maximized PENDLE rewards. Meanwhile, Penpie locks all the converted PENDLE as vePENDLE on Pendle Finance, resulting in the accumulation of vePENDLE for Penpie. This vePENDLE entitles Penpie to enhanced benefits on Pendle Finance. As a result, Penpie can offer users a sustainable, boosted yield to active participants and cost-effective governance rights."
The Reality
"Despite audits by WatchPug and Zokyo, this glaring oversight slipped through the cracks."
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| September 3rd, 2024 12:23:35 PM MDT | Malicious Transaction | The malicious transaction which drains the Penpie smart contract, as reported by Chaofan Shou. |
| September 3rd, 2024 12:45:00 PM MDT | Pendle Platform Paused | "Pendle fully paused their platform on Ethereum" |
| September 3rd, 2024 12:59:00 PM MDT | Chaofan Shou Tweet | Chaofan Shou reports on the attack, reporting a loss total of $17m. |
| September 3rd, 2024 1:00:00 PM MDT | Penpie Informed About Exploit | "The Pendle team informed us that Penpie had been exploited by an attacker." |
| September 3rd, 2024 1:01:00 PM MDT | Loss Amount Amended | Chaofan Shou reports that the loss is now $26m. |
| September 3rd, 2024 1:10:00 PM MDT | Hexagate Notification About Exploit | "Hexagate notified us that Penpie had been exploited, and we initiated an investigation in collaboration with them." |
| September 3rd, 2024 1:14:00 PM MDT | Final Arbitrum Fund Drain | "Last drained funds were stolen by the attacker via Arbitrum ($621k gUSDC)" |
| September 3rd, 2024 1:19:00 PM MDT | Arbitrum Platform Paused | "Pendle fully paused their platform on Arbitrum" |
| September 3rd, 2024 1:27:00 PM MDT | Pendle Post On Twitter | "Pendle posted on X, informing users that their platform was unaffected. However, they also reported that Penpie had been targeted by an attacker and a security compromise was found." |
| September 3rd, 2024 1:55:00 PM MDT | Protocol Announced Shut Down | The Penpie protocol posts on Twitter to announce that they have now shut down their platform for deposits and withdrawals and admit to a security compromise. Multiple post responses provide users with fake revoke links which will drain funds if approved. |
| September 5th, 2024 8:27:43 AM MDT | Garrett Lee Explanation Video | YouTuber Garrett Lee reports a detailed walkthrough of the exploit |
| September 5th, 2024 11:10:00 PM MDT | Bounty Offered By Tweet | Penpie announces the offer of a 10% bounty for "the individual or group whose contribution directly leads to the recovery of the stolen assets". |
| September 10th, 2024 11:56:00 PM MDT | Platform Remains Paused | "deposits and withdrawals on @Penpiexyz_io remain paused as the platform undergoes full audits by several security firms to ensure a safe resumption of operations. @BlockSecTeam, @peckshield, and @AstraSecAI have already initiated their audits, and we are in discussions with additional companies. It is anticipated that deposits and withdrawals will resume in approximately 2-3 weeks, pending the successful completion of these audits." |
Technical Details
"The root cause was a reentrancy protection vulnerability in the PendleStakingBaseUpg::batchHarvestMarketRewards() function. By re-entering the PendleStakingBaseUpg::depositMarket() function during the reward harvesting process, the malicious SY contract repeatedly added new deposits sourced from flash loan. This allowed the attacker to manipulate the reward token and their amounts sent to the fake Pendle market depositor, which is the attacker itself.
Penpie’s open system for permissionless registration of new Pendle markets triggered this fraudulent activity, the design of permissionless registration itself is fine, but it allowed the attacker to register a fake Pendle market with an attack SY contract and execute the exploit, which uncovered the reentrancy vulnerability."
"According to the blockchain gumshoes at PeckShield, the root cause was "the introduction of an evil market that was used to inflate the staking balance to claim unwarranted rewards."
Translation for the non-tech savvy: the attacker created a fake Pendle market, essentially tricking Penpie's contracts into thinking they were dealing with the real McCoy.
Ancilia provided more information, highlighting that the exploit stemmed from a sneaky loophole in Penpie's batchHarvestMarketRewards() function.
In a flash, the attacker launched a reentrancy attack, creating a fake Pendle market to dupe Penpie's contracts.
When the _harvestBatchMarketRewards() function called redeemRewards(), the hacker's contract slipped in, executing a deceptive maneuver that would make seasoned con artists envious.
The end result? A textbook double-dip, inflating the attacker's staking balance and siphoning off undeserved rewards."
Total Amount Lost
The total amount at risk has been estimated at $132,348,000 USD. The total amount lost has been estimated at $27,348,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Seems like @Penpiexyz_io got hacked. $17M loss."
"Alert: Penpie has encountered a security compromise.
We have paused all deposits and withdrawals. Our team is working tirelessly to address it. Your patience and support are invaluable during this time."
"On September 3, 2024, at 6:23 PM UTC, a sophisticated attacker exploited a security vulnerability within the Penpie platform, seizing control of users’ funds and draining over $27,000,000 worth of assets across the Arbitrum and Ethereum networks. The attacker manipulated a fake Pendle market to maximize rewards."
Ultimate Outcome
"In light of the recent security compromise on @Penpiexyz_io, we want to assure our community that we have identified the root cause, and all other protocols within the Magpie ecosystem remain secure and unaffected."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
"Dear community, deposits and withdrawals on @Penpiexyz_io remain paused as the platform undergoes full audits by several security firms to ensure a safe resumption of operations. @BlockSecTeam, @peckshield, and @AstraSecAI have already initiated their audits, and we are in discussions with additional companies. It is anticipated that deposits and withdrawals will resume in approximately 2-3 weeks, pending the successful completion of these audits.
In collaboration with @hexagate_, we are integrating real-time monitoring to establish a highly efficient and proactive response system.
We continue to work closely with law enforcement, security firms, partners, and key members of the crypto community, including major exchanges, to trace, track, and freeze funds linked to the hacker.
Also, steps are being taken to prepare a post on the Penpie governance forum to open discussions on a potential compensation plan. To our users and partners, thank you for your ongoing support and patience as we navigate through this process."
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Penpie - Rekt (Accessed Sep 13, 2024)
- ↑ @shoucccc Twitter (Accessed Sep 13, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ Penpie’s Hacker Hunt: Offering Up to 10% of Recovered Funds as a Bounty | by Magpie | Sep, 2024 | Penpie (Accessed Sep 13, 2024)
- ↑ Penpie Post-Mortem Report. Incident Overview | by Magpie | Sep, 2024 | Penpie (Accessed Sep 13, 2024)
- ↑ https://web.archive.org/web/20230608095137/https://penpiexyz.io/ (Accessed Sep 13, 2024)
- ↑ - YouTube (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @pendle_fi Twitter (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @magpiexyz_io Twitter (Accessed Sep 13, 2024)
- ↑ @Penpiexyz_io Twitter (Accessed Sep 13, 2024)