Penpie DeFi Platform Hit by $27 Million Security Breach

The decentralized finance (DeFi) platform built on the Pendle network has reportedly experienced a massive exploit on September 3, 2024.

According to Cyvers Alert, a real-time on-chain monitoring system, the hack resulted in the loss of at least $26 million in various packaged and synthetic crypto assets.

Details of the attacker's exit

The security monitoring company revealed that the attack on Penny was first initiated by TornadoCash via a smart contract funded for 10 ether (ETH).

The affected protocol later admitted to the breach, saying it had experienced a “security problem”. The team behind the project has also informed users that all transactions have been suspended and that it is working to resolve the issue.

Pendle, where the platform is built, said that it was aware of the attack and also announced it on social media. It also assured users that it had concluded its own funds were safe after conducting “thorough investigations”. However, as a precaution, the network has temporarily suspended all contracts and provided assistance to the Penny team to help resolve the issue.

Preventive measures and post-mortem

The platform later released an initial post-mortem report detailing the timeline of events before, during and after the incident.

In the report, the Pendle Group stated that their system was funded by Tornado Cash, so they flagged the suspect behind the theft immediately after signing the contract.

They immediately went into extreme caution, examining the potential security risks the contract posed to the network. It was then that the PenP exploit occurred, prompting the Pendle Group to initiate countermeasures to protect its network and wider ecosystem from any subsequent attacks.

The protocol enlisted the help of other cybersecurity entities, including Seal 911, to develop strategies to address additional threats. However, after further inspections, Pendle terminated the contract at 0050 UTC and resumed normal operations.

For its part, Penny reached out to the unknown hacker and advocated a “positive solution” to the incident.

In the process, the Diffie Project indicated that it was willing to negotiate with the perpetrator for a ransom that would allow for the safe return of the stolen funds. He also promised that no legal action would be taken against the exploiter if they accepted the offer to play the role of a white hat. He also assured them that their identities will not be disclosed.

However, at the time of going to press, it was unclear whether the attacker had accepted PenP's request or contacted the protocol team in any way. In the meantime, operations have stopped, and the team is working to rebuild the front-end so users can get their money back.