
Penpie Hacked for $27 Million: Why Was It Wiped Out?
TechFlow Selected TechFlow Selected

Penpie Hacked for $27 Million: Why Was It Wiped Out?
On September 4, Penpie, a DeFi protocol built on Pendle, was hacked, resulting in the theft of approximately $27 million in crypto assets.
Author: Beosin
On September 4, 2024, according to Beosin Alert monitoring, Penpie, a DeFi protocol built on Pendle, was hacked, resulting in the theft of approximately $27 million in crypto assets. The Beosin security team immediately analyzed the incident, with findings detailed below.
Penpie is a DeFi platform integrated with Pendle Finance, focusing on locking PENDLE tokens to obtain governance rights within Pendle Finance and enhanced yield rewards. Penpie aims to provide Pendle Finance users with improved yield and veTokenomics services.
Incident Overview
● Attack Transaction:
0x56e09abb35ff12271fdb38ff8a23e4d4a7396844426a94c4d3af2e8b7a0a2813
● Attacker Address:
0xc0Eb7e6E2b94aA43BDD0c60E645fe915d5c6eb84
● Attacking Contract:
0x4aF4C234B8CB6e060797e87AFB724cfb1d320Bb7
● Compromised Contract:
0x6e799758cee75dae3d84e09d40dc416ecf713652
Vulnerability Analysis
This incident primarily involved the attacker exploiting the reentrancy vulnerability in the claimRewards function of the market contract, re-entering the staking function to artificially inflate the balance of the staking contract, then withdrawing excess tokens and staked assets for profit.
Attack Flow
Preparation Phase:
1. The attacker used the attack contract to call the Factory contract in the Penpie protocol to create a new market and Yield, setting SY as the attacker’s own contract.
0xfda0dde38fa4c5b0e13c506782527a039d3a87f93f9208c104ee569a642172d2

2. The attacker took out flash loans of four different tokens as collateral reserve funds, then called the batchHarvestMarketRewards function in the staking contract to update rewards for the newly created market.

3. During the reward update in the batchHarvestMarketRewards function, the redeemRewards function in the market contract was invoked. The contract recorded the balance difference before and after calling redeemRewards.

4. Within the market's redeemRewards function, a call was made to the claimReward function in the SY contract. Since the SY contract was controlled by the attacker, this allowed the attacker to re-enter the Staking contract via the claimReward function, depositing flash-loaned funds into the Staking contract four times consecutively.


5. Upon returning to the Staking contract, the significant balance difference before and after redeemRewards triggered the _sendRewards function. Ultimately, _queueRewarder inside _sendRewards authorized extra tokens to the market contract and recorded them as rewards.

6. The attacker claimed the recorded rewards.

7. The attacker withdrew the originally deposited assets using the withdraw function, repaid the flash loans, and realized profits.

Pendle subsequently released an analysis report stating that upon discovering the vulnerability, they immediately paused the contracts, preventing further losses affecting $105 million in assets.
Fund Tracking
At the time of writing, approximately $27 million had been stolen. Beosin Trace tracking shows the attacker has converted all stolen funds into ETH, initially storing them in address 0x2f2dDE668e5426463E05D795f5297dB334f61C39.

As of publication, the Penpie attacker has gradually transferred 2,900 ETH (worth approximately $6.9 million) to Tornado Cash.
Currently, the Penpie team has also issued an on-chain message to the hacker, attempting communication to negotiate fund recovery, offering a bounty if the funds are returned, and providing contact details.
Summary
Regarding this incident, the Beosin security team recommends: 1. Add reentrancy guards to relevant contract functions; 2. If not using a whitelist to validate incoming tokens, it is better to use a standardized wrapper contract to regenerate tokens; 3. Before launch, strongly recommend engaging a professional security auditing firm to conduct comprehensive security audits to mitigate risks.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News












