Pinecone Finance Deflation Hack

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Pinecone Finance

Pinecone Finance offers a new yield farm for staking, where users deposit their funds into a smart contract hot wallet, earning profit by providing market liquidity. There was an exploit which was possible with deflationary tokens, where a hacker was able to gain $200k.

The hacker returned the funds in a subsequent discussion, and the team worked to compensate all affected users for their losses.

This is a global/international case not involving a specific country.^{[1][2][3][4][5][6][7][8][9][10]}

About Pinecone Finance

"Pinecone Finance is the next generation of yield optimizer protocol on BSC with the aim of making yield farming more rewarding, sustainable and effortless." "Yield farming is a DeFi concept where users stake their crypto assets in order to receive passive income, which has become in favor these days, especially in the time of crypto market uncertainty." "Nevertheless there are many issues still plaguing yield farmers including the lack of sustainability, poor user experience, and most importantly, security risks especially flash loan attacks which has already caused hundreds of millions of losses for projects and investors."

"Pinecone focuses only on single asset farming in order to avoid the risks associated with farming via LPs. What is unique about Pinecone is that, for each crypto asset, it will offer multiple farming strategies with different risk/return profiles, so that farmers can select the most suitable ones based on their own preferences, and easily switch between different vaults anytime they want."

"No matter how complicated a flash loan attack is, it has to be using smart contract to execute large number of transactions in one block. Pinecone’s flash loan attack defending system works in two levels: (1) It restricts the direct access from 3rd party smart contract unless they go through the white list approval process including stringent security checks. (2) It sets max transaction limit per block to ensure no flash loan attackers can profit from dumping large amount of PCT to profit within one block."

"PCT holders can enjoy sustainable income from various sources including performance fee, transfer tax and we also offer PCT stakers PCT rewards per block."

"Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.5 million."

"@PineconeFinance was exploited starting 2021-08-18 11:41:19 AM UTC with a flurry of deposits and withdraws, leading to the loss of ~3.5M PCTs (~$200K)." "The root cause is due to a false deposit bug in the staking logic of @PineconeFinance. In particular, the affected vault counts as valid deposits even no tokens are actually transferred in."

"[I]n one example hack tx, the hacker has no sufficient PCT balance but stakes 200K PCTs to the vault. However, the tx still succeeds and credits the hacker with 200K valid PCTs staked!" "Overall, three involved hackers collect ~3.5M PCTs and convert to 516.83 BNB (~$200K)."

"PCT token is different from ordinary ERC-20 Token in that it had a built-in burning mechanism. Interaction with smart contracts which often report errors due to incorrect wallet balance and causing transaction failures. In order to avoid this issue, the rollback mechanism which voids the transaction when the wallet balance is insufficient is taken offline. This mechanism, though existed, could not be abused prior to the launch of PCT vault."

"When the Pinecone PCT staking vault went online, the restriction for illegal operations were implemented at front-end, however the hacker bypassed the webpage and directly called the smart contract through EOA. In the end the hacker managed to withdraw greater amount of PCT token than the amount he deposited, because the Smart Contract failed to verify the account balance."

"PCT price plunged from 0.095 to 0.037 within 10 minutes. The project team took quick action to stop PCT pool contract and fixed the issue immediately with PeckShield, a renowned tech auditing firm." "The project team has contacted the Binance team and taken due action to locate the hacker. Peckshield has offered great help to the project team during the post-mortem analysis and will continue to support the project team for further security audit."

"As of 09:30 AM UTC on August 19, the project team and investors held a total of 4.91 million tokens. After discussing with the team, early investors and advisors overnight, everyone decided to overcome the difficulties together and use all tokens to compensate users."

"[T]he project team will make up for all the lost PCT amount by August 21, totaling 3.53 million." "[A]ll the wallet PCT holders counted at 09:30 AM UTC on August 19th will be compensated through daily airdrop, based on the current PCT staking pool yearly APR 542%, daily APR 1.5%, until the deposit function of the PCT staking pool is restored. Due to the complexity of data collection and calculation, the airdrop is scheduled to start on August 21. The specific time will be notified in advance."

"The remaining part will be given out as further compensation through the PCT staking pool, shared by all pool users. This will be implemented after the deposit function of the staking pool back to normal."

"The funds are still parked in three different addresses: 0x4272, 0xfc66, 0x430a. We are actively monitoring these addresses for any movement." "By analyzing the perpetrator’s (hereinafter referred as Mr. X) wallet, the project team managed to track down his hot wallet addresses and transaction records associated with three major CEXs."

"The project team immediately got in touch with the exchanges trying to track Mr. X’s identify, at the same time urge Mr. X to return the fund through the communication on Twitter, Telegram Group and Medium. At 11:30 UTC on August 19, after receiving an e-mail from Mr. X, expressing his willingness to reconcile and return the fund, the founder of Pinecone reached out to Mr. X and had a long conversation. During the communication, Mr. X said that he was actually an investor of the project and even participated in the pre-sale."

"When PCT staking pool went online, he accidentally discovered a loophole and used it to make a profit of nearly 500 BNB. After seeing the attitude, efficiency and sincerity of the project team handling this incident, he decided to return the fund and would love to continue to support the project."

"It was a happy ending eventually and the incident was resolved through mutual understanding and effective communication."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $200,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

There were no losses in this case since the hacker returned the funds.

The only truly secure storage of assets is an offline multi-sig wallet. Protocols run by known teams could explore options where most funds are in cold storage when not in use. In the future, it's very likely that insurance protocols will reduce some of the risk.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References