The hacker stole $27 million from Penpie as the project’s developer acted swiftly to prevent at least another $105 million from being lost.
A hacker plundered $27 million from DeFi protocol Penpie and funneled $7 million through crypto mixer Tornado Cash in less than 12 hours. The hack occurred on September 3.
Blockchain security firm Cyvers alerted Penpie and the community of the hack on September 3. “Hey @Penpiexyz_io, Our system has raised multiple suspicious transaction(s) involving your contract!” It added, “Affected tokens are $wstETH, $sUSDe, $rswETH.”
Source: Cyvers Alerts on X
It followed up this post with an update about the hacker trying to obfuscate their footprints using Tornado Cash. @Penpiexyz_io exploiter has deposited around $7M to @TornadoCash.” Another security firm, PeckShield, continued to update the community about the hacker’s activities, suggesting they did not stop funneling the funds through Tornado Cash.
Source: PeckShield on X
Pendle Speaks About the Hack
Pendle, the developer behind Penpie, released a post-mortem report about the hack via X. “Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie,” it read. Pendle has since resumed operations, allowing users to interact with its contracts safely.
According to Pendle’s narration, its in-house security team recognized the threat almost instantly as the hacker’s wallet interacted with its contract, as it was already associated with Tornado Cash. Nevertheless, the hacker launched their attack less than an hour later. Pendle’s team then acted swiftly to prevent further attacks by pausing their contracts. In the meantime, it also contacted external cybersecurity firm Seal 911 to address the situation and mitigate risks.
A few minutes later, Pendle identified how the attack succeeded. It revealed, “The vulnerability was found to be linked to a unique feature that allowed permissionless listing of Pendle markets on Penpie.” It iterated that all contracts are safe to use going forward and it would “continue to prioritize the safety and security of our platform above all else.”
