Perpy Finance Contract Initialization Issue
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Perpy Finance allows traders and investors to connect. The social finance project reported being attacked on May 6th. A hacker was reportedly able to update the contract and illicitly withdraw 58,489,594 PRY tokens. These were then transferred and exchanged for 41.895 ETH. According to Perpy Finance's incident analysis report, "this breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. The actual transaction itself does not appear to be published.[1][2][3][4][5][6][7][8][9]
About Perpy Finance
"Perpy is the home of SocialFi & Asset Management, where we connect traders with investors through two major verticals: Trading Vaults and Communities. Perpy offers Traders the best venues and tools to monetize their trading skills, grow their brand, and nurture their community. In the meantime, Investors can profit from Traders' skills by allocating funds in a secure and non-custodial way.
With the current state of the ecosystem, traders have no optimal medium to share their trading setups and performance in a transparent, legitimate, and verifiable manner. Building an engaged community is even harder, and the overhead of managing different platforms, tooling, and paywalls is time-consuming. The same goes for users who follow multiple accounts, Alfa sources, a dozen Telegram groups, and a bunch of private Discord servers.
These are discrepancies and unefficiencies across crypto communities to share and earn together. That’s where Perpy brings another piece of the puzzle with an all-in-one solution to solve this major issue.
With its Social Layer and Trading Vaults, Perpy is taking the concepts of Social Trading and Marketplace between Traders and Investors to another level. Perpy offers a unique opportunity to create or join communities where exclusive content, insights, market perspectives, and hot narratives can be accessed publicly or privately at the vault manager's discretion, like any messaging app.
On top of this Social Layer, we’re plugging the Trading Vault, where the vault manager can trade on behalf of his investors (aka the community members), take commissions on any profits generated and have access to an in-depth and unmatched on-chain trading journal and statistics page."
The Reality
"This breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. We overconfidently chose not to audit this fork, incorrectly considering it risk-free, a decision that led to this exploit."
What Happened
"On May 6, we detected an exploit in our staking contract after observing a significant sell-off and receiving reports that users were unable to interact with the staking module. A hacker was able to update the contract and illicitly withdrew 58,489,594 $PRY tokens. These were then transferred and exchanged for 41.895 ETH."
| Date | Event | Description |
|---|---|---|
| May 6th, 2024 1:34:00 AM MDT | Perpy Finance Warning Tweet | Perpy Finance posts an initial warning tweet to notify the community about the exploit transaction happening. |
| May 10th, 2024 7:59:01 AM MDT | Perpy Finance Update Posted | Perpy Finance shares an update about the incident which happened. |
| May 13th, 2024 7:39:00 AM MDT | Platform Update Released | Perpy Finance releases an update to their platform. |
Technical Details
"Perpy's core contracts have a simple structure: A factory contract is responsible for creating Trading Vaults for traders where they will be able to trade users’ deposits. After a deposit is made, the user receives an equivalent amount of shares corresponding to an ERC-20 contract which acts as a proof of deposit. The vault also tracks the performance of the trader through the shares and manages fees redistribution. TVL and shares are calculated by Pyth Network oracle."
"The vulnerability was related to a section of the code that was added post-audit to introduce liquid staking."
"This breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. We overconfidently chose not to audit this fork, incorrectly considering it risk-free, a decision that led to this exploit."
Total Amount Lost
The total amount lost has been estimated at $132,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Security alert We've detected a malicious interaction with the staking contracts. Do not interact with the staking module until further notice. A plan to fix the exploit and refund affected users will be communicated shortly after our investigation is done."
"On May 6, we detected an exploit in our staking contract after observing a significant sell-off and receiving reports that users were unable to interact with the staking module. A hacker was able to update the contract and illicitly withdrew 58,489,594 $PRY tokens. These were then transferred and exchanged for 41.895 ETH."
"As a precautionary measure, we have temporarily paused the staking contract."
"In response to the hack, we acted swiftly to mitigate the impact on our users. We’ve bought back the $PRY tokens dumped by the hackers and have completed redistributing them to all affected stakers, restoring their original staked amounts. This action cost the treasury approximately 170K USDC."
Ultimate Outcome
"We have put liquid staking on hold and have already launched an audit of the staking contracts with Peckshield, expected to conclude by May 18, 2024. If the audit is cleared, we plan to reopen liquid staking the following week."
"We deeply regret this incident and accept full responsibility. We acted quickly to protect our community, and all subsequent actions were taken with your best interests in mind. We hope that our immediate buyback and refund actions demonstrate our dedication and loyalty to you.
In retrospect, we recognize that our drive to rapidly introduce new features compromised our platform's stability and user experience. Moving forward, we are refocusing our efforts on enhancing the core features and the overall trading experience, delaying non-essential features like NFT vault integration, NFT Perp or Sports Betting, to prioritize the security, efficiency and overall user experience of the dApp.
Luckily, this hack happened when our token's value was low, which means we could handle the loss without endangering Perpy’s future. We have been meticulous in managing our cash flow and have sufficient reserves to sustain our project for many years to come.
Despite our significant efforts in Marketing and Business Development, we are facing challenges due to the reluctance surrounding the price performance of the $PRY token. KOLs are hesitant to engage in public trading or discuss the token's performance. That’s one of the reasons why our marketing efforts have had a limited impact. Our reputation has suffered since the underperforming ICO on Camelot, making marketing more difficult. Unfortunately, users tend to focus on the token's price and associated reputation rather than seeing all the accomplishments over the past year. We share your dissatisfaction with the activity on Perpy and the token's price performance. The most frustrating aspect is that we're giving absolutely everything and working as never before to develop the dApp."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (May 28, 2024)
- ↑ https://perpy-finance.beehiiv.com/p/update-recent-exploit (May 28, 2024)
- ↑ https://web.archive.org/web/20240522124729/https://perpy-finance.beehiiv.com/p/update-recent-exploit (May 28, 2024)
- ↑ Perpy - Decentralized Social Trading App (May 28, 2024)
- ↑ Overview | Perpy Finance (May 28, 2024)
- ↑ Protocol Technical Description | Perpy Finance (May 28, 2024)
- ↑ DeFi and Cryptocurrency Hacks / Neptune Mutual (May 28, 2024)
- ↑ @PerpyFinance Twitter (May 28, 2024)
- ↑ @PerpyFinance Twitter (May 28, 2024)