Pike Finance USDC Withdrawal Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Pike Finance is a loan protocol which allows loans to be taken out using collateral on other chains. As part of their deployment, there was a known and identified issue where USDC can be withdrawn without proper validation. The team corrected the vulnerability with an upgrade which allowed all the assets to be drained from their smart contract, then eventually offered refunds to users.[1][2][3][4][5][6][7][8][9][10][11][12]
About Pike Finance
"Universal Liquidity Protocol A next generation money market 一 deposit collateral on chain A, borrow on chain B."
"Pike is a universal liquidity market optimized for native assets." "Pike is a universal liquidity market that enables lending and borrowing using native assets directly on their respective blockchains, eliminating the need for wrapping and cross-chain transfers."
"Pike enables lending and borrowing using native assets directly on their respective blockchains, eliminating the need for wrapping and cross-chain transfers. For example, users can deposit Arbitrum's ARB tokens as collateral on their native Arbitrum chain, while borrowing other assets on a different blockchain." "Pike is enabled by Wormhole Cross-Chain Messaging, Circle’s Cross-Chain Transfer Protocol, and Pyth Data Feeds."
"Pike redefines the user experience for cross-chain lending and borrowing - Our focus on native assets remove the need for assets with suffixes and prefixes." "Seamlessly maximize your yields and leverage Pike’s native cross-chain functionality 一 No longer do you have to constantly bridge your assets to explore opportunities across the ecosystem." "Pike’s hub and spoke architecture is designed to fade into the background 一 Allowing users to realize an interconnected DeFi vision. Utilize a suite of assets from across the ecosystem 一 Ranging from yield bearing stablecoins and LSTs, to LP tokens."
"Wormhole messaging eliminates risks associated with cross-chain bridges and bridged assets 一 reducing attack vectors stemming from pricing oracles."
The Reality
The smart contract had a vulnerability which was reported and ignored, allowing the theft of $299k wroth of USDC.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| April 25th, 2024 5:32:35 PM MDT | Binance Funding Source | Attacker is initially funded from Binance with 0.11487 ETH on the Optimism chain. |
| April 25th, 2024 6:13:59 PM MDT | Exploit Timestamp | The USDC withdrawal exploit is first exploited, withdrawing $162,537 USDC. |
| April 25th, 2024 6:32:35 PM MDT | Bridge To Ethereum | Assets are bridged back to the ethereum blockchain. |
| April 25th, 2024 7:34:59 PM MDT | First TornadoCash Deposit | The attacker deposits the first batch of 10 ETH into TornadoCash. |
| April 26th, 2024 11:59:35 AM MDT | Team Reaching Out | The Pike Finance team reaches out to the attacker requesting to "resolve this matter in a mutually beneficial way". There is no response to their request. |
| May 1st, 2024 10:30:00 AM MDT | Announcement By Pike Finance | Pike Finance announces to clarify their language of the exploit, ensuring it's clear that their protocol, and not USDC, was vulnerable. |
| May 2nd, 2024 5:07:49 AM MDT | Path Forward Published | Pike Finance publishes a path forward for both vulnerabilities and how they plan to compensate users. |
Technical Details
Attacker: 0xAdaF1626aEC26A7937aE7d1Fa0664e6E0904C1d0
Target Contract: 0x7856493B59cdb1685757A6DcCe12425F6a6666a0
Attack Transaction: 0x979ad9b7f5331ea8034305a83b5cd50aea88adec395fff8298dd90eb1b87667f
Total Amount Lost
"On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH."
The total amount lost has been estimated at $299,000 USD.
Immediate Reactions
"While we continue our investigation, we are offering a 20% reward for the return of the funds, or information leading to the recovery of funds."
Ultimate Outcome
Ongoing.
Total Amount Recovered
The Pike Finance team published a blog post with the plan forward.
"In the coming days, we will disclose a full list of wallet addresses with active supply and borrow positions prior to the protocol halt as of April 26 08:35 PM UTC. Addresses with a supply position will have a credit balance, and addresses with a borrow position will have a debit balance. We will calculate the Net Balance [Total Value of Supply - Total Value of Borrow] and assess whether liquidation levels have been triggered using asset prices as of April 26 08:35 PM UTC. Addresses with a positive net balance after accounting for liquidation checks will be restituted in full directly to their wallets ($OP via Optimism, $ARB via Arbitrum, $ETH and $USDC via Base)."
"The Community Treasury allocation of $P has been set aside for various usages, however one of these is of course, as an insurance fund.
As a result, we will be using 4% of the total supply of $P (from the Community Treasury allocation) as collateral to borrow the necessary stablecoin funds from the team treasury (around $2M USD across both exploits).
These will then be used to purchase the relevant assets on the open market and reimburse users for what they had within Pike prior to the exploit.
As the protocol generates revenue and launches the $P token, this loan will then be paid back accordingly - transferring the $P tokens used as collateral to the Foundation Treasury.
Once the debt is repaid, the $P will be released back to Insurance pool"
There do not appear to have been any funds recovered in this case.
Ongoing Developments
Refunds.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @RektHQ Twitter (May 6, 2024)
- ↑ Rekt - Pike Finance - Rekt (May 6, 2024)
- ↑ @PikeFinance Twitter (May 6, 2024)
- ↑ Pike | Universal Liquidity Protocol (May 6, 2024)
- ↑ Introduction to Pike | User Docs | Pike (May 6, 2024)
- ↑ Pike: A Path Forward — Pike (May 6, 2024)
- ↑ Post-Mortem Report: Pike USDC Withdrawal Vulnerability — Pike (May 6, 2024)
- ↑ OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan (May 6, 2024)
- ↑ https://zapper.xyz/account/0xadaf1626aec26a7937ae7d1fa0664e6e0904c1d0?tab=history (May 6, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (May 6, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (May 6, 2024)
- ↑ BaseScan Transaction Hash (Txhash) Details | Base (May 6, 2024)