SubDAO Penpie suffered an attack on its reward protocol and lost about $27 million, as a result, Pendle has temporarily suspended contract operations with it.
On Septemeber 4, Web3 network security company Ancilia had revealed that Penpie, which is a independent protocol built on top of Pendle, lost about 27 Million in attack that was executed in two steps.
1/ PenPie @Penpiexyz_io (Pendle Finance) @pendle_fi is suffering the attack from its award protocols. It lost about ~27M.
The attack use two steps to attack.
1. setup a new Pendle market: https://t.co/tWt1NX90Ne
2. attack tx: https://t.co/RMOFRqk96v— Ancilia, Inc. (@AnciliaInc) September 3, 2024
The security firm added, “The root cause is a re-entry like vulnerability in its batchHarvestMarketRewards() function, the internal function _harvestBatchMarketRewards() will call the function redeemRewards() from hack controlled Sy contract(setup at step 1).” According to Ancilia, the double use (liquidity and award) lets hack to gain double amount.
After the news of attack came to surface, Pendle officials tweeted, “After a thorough investigation, we can confirm that the funds on Pendle are still safe.” But they did find security vulnerability in Penpie. As a precaution, Pendle has temporarily suspended all contract operations and has informed that it would maintain close communication with the Penpie team to actively assist them in resolving this issue.
Meanwhile, Penpie, has stopped all deposits and withdrawals to resolve this issue.
For Penpie, transparency is foundational. We are monitoring the situation and are in the process of restoring the Penpie frontend.
Deposits and withdrawals will remain paused.
Also, we are collaborating with law enforcement to resolve the issue.
Updates to come.
— Penpie (@Penpiexyz_io) September 3, 2024