2 Auditors Miss $27 Million PNP Deficit, Pythia’s ‘Claim Rewards’ Error: Crypto-Sec
4 months ago Benito Santiago
Table of Contents
TogglePythia was struck by a return attack
Decentralized financial protocol Pythia Finance lost $53,000 in a hack on September 3, according to a report from blockchain security firm Quill Audits. Pythia is an algorithmic stable coin project that aims to use artificial intelligence to manage the treasury.
The attacker repeatedly calls the “claim” function to collect more rewards than they should, without allowing the reward balance to be updated after each call.
According to the report, the attacker was able to call this function repeatedly and quickly because Pythia called the “secure transfer” function of the token when the rewards are distributed. Therefore, a malicious token contract can call Pythia back, causing Pythia to call it again, and cause a chain reaction that can deplete the protocol's funds.
A partial audit report by Quill Audits reveals zero unresolved security issues for Pythia Zero, indicating that the team may have modified the contract to prevent any further exploits.
A reentrant attack is one of the most common types of smart contract exploits, where the attacker repeatedly calls the function without allowing the code to fully execute.
Zyxel critical vulnerability
On Sept. 4, network hardware manufacturer Zexel said some of its network devices allow attackers to run code on users' routers and access points, allowing hackers to gain access to users' devices.
According to the description, the vulnerability is caused by several different versions of the firmware “mishandling special elements in the ‘host' in the CGI program.” Because of this improper neutralization, these firmware versions “could allow an unauthenticated attacker to execute operating system commands by sending a crafted cookie to a vulnerable device.”
Crypto wallet users should be careful about potential attacks on their home networks. If an attacker gains access to a user's home network, they can use this access to redirect the user's traffic with DNS spoofing, view unencrypted data sent over the network, or use deep packet inspection to intercept encrypted data. The information obtained can be used for social engineering attacks to convince the user to approve transactions or share their private keys.
Zyxel has released a list of potentially affected devices that include the NWA50AX PRO, NWA90AX, WAC500 and other access points, as well as the USG LITE 60AX router. The manufacturer advises users of these devices to update their firmware.
Penpie exploits created a fake pendle market
The $27 million PenP exploit was made possible by a flaw that allowed any user to create a Pendle market, according to a Sept. 4 report from blockchain security firm Zokyo. The report said an earlier version of the protocol was audited by Zokyo but did not catch the flaw at the time.
Penpie has a function called “registerPenpiePool” which is used to register a new pool address and Pendle market, the report said. Contains an update to check if the Pendle Market is listed in the Pendle Financial Factory contract to prevent malicious markets from being registered. Registration is not possible if it is not listed in this Factory Agreement. However, any user can access the market listed in the factory contract by calling the createNewMarket function in the factory contract. According to the report, basically any user can create and register a pendle market.
An attacker could exploit this vulnerability to create a fake Pendle market and pool, which are configured to offer valuable Pendle tokens as rewards.
The protocol also contains an entry flaw that allows any market to repeatedly deposit tokens and others before updating balances. The attacker repeatedly called the deposit function, artificially increasing the winnings. They then withdraw the deposit and claim the prize, draining the protocol of more than $27 million.
According to the report, the re-entry flaw was in the version Zokyo audited. But in that version, only the protocol team could register a new pool and market, which was supposed to prevent an outside attacker from using it. The report says:
“The _market entry received by the batchHarvestMarketRewards(…) method was not expected to be malicious because in an earlier version of the code audited by Zokyo, only the owner (multi-sig) could register a pool.”
In a separate report published on September 3, Penpi Group said Zokyo had introduced “unauthorized pool registration” nearly a year after conducting its audit. At the time, it hired the security firm Astrasec to audit the new registration system. However, only the new contracts were included in this audit. Because the exploit was discovered through interactions between two different contracts that were audited by two different teams, neither caught the vulnerability. Penpi said it would conduct “periodic audits of the entire protocol” in the future to ensure such incidents do not happen again.
Penpie is a decentralized finance protocol that attempts to provide product incentives to Pendle Finance users. The exploit against him happened on September 3rd.
Christopher Roark
Some say he's a white-hat hacker who lives in the dark mining hills of Dakota and pretends to be a baby crossing guard to throw the NSA off his scent. All we know is that Christopher Roark has a pathological interest in hunting down fraudsters and hackers.