In a devastating blow to the decentralized finance (DeFi) community, Penpie Protocol, built on top of the tokenized yield platform Pendle, suffered a $27 million exploit on September 3, 2024.
The attacker managed to siphon off a range of digital assets, including staked Ether (ETH), Ethena’s sUSDE, and wrapped USDC.
In response, Penpie has suspended all deposits and withdrawals while offering a negotiable bounty for the safe return of the stolen funds.
The protocol has promised not to pursue legal action if the funds are returned and to maintain the attacker’s anonymity, emphasizing the significance of these funds to its community.
Exploiter launders funds through Tornado Cash
Data from Etherscan reveals that the stolen funds, totaling over 11,113 ETH (approximately $27 million), were swapped for ETH using the Li.Fi protocol before being transferred to a separate laundering address identified as “0x..cC3.”
This address was subsequently used to funnel the funds into Tornado Cash, a well-known cryptocurrency mixer.
Before the attack, the exploit wallet was funded with 10 ETH, also transferred via Tornado Cash just hours before the heist.
At the time of reporting, the attacker had laundered 3,000 ETH through Tornado Cash across 30 transactions, each moving 100 ETH.
The attacker still holds 7,113.2 ETH (around $17 million) in an address labeled “0x2..C39.”
How the exploit happened
Security firm PeckShield identified that the exploit was carried out using a malicious contract dubbed “evil market.”
This contract exploited a vulnerability in Penpie’s reward distribution mechanism by inflating staking balances to claim unearned rewards.
The flaw, as outlined in Pendle’s post-mortem report, allowed anyone to create Pendle markets on Penpie without restrictions, which opened the door to this significant breach.
Following the attack, Penpie Protocol halted all operations, and Pendle temporarily paused all contracts as a precautionary measure to prevent further damage.
Impact on Penpie’s native token
The exploit had an immediate impact on Penpie’s native token, PNP, which saw its price plummet by roughly 40% in the aftermath.
Pendle’s native token, PENDLE, also dropped over 8%.
Although PNP has since made a modest recovery, it remains down 28.8% on the 24-hour chart, reflecting the ongoing uncertainty and shaken confidence in the protocol.
This incident adds to a growing list of security breaches in the crypto space.
According to PeckShield, crypto hacks resulted in approximately $266 million in losses in July, rising to $313 million in August.
Phishing attacks were particularly prevalent, accounting for 93.5% of all stolen crypto in August.
Among the most significant losses, 9,145 victims collectively lost around $63 million to phishing attacks in August alone.
In one particularly severe case, a whale lost $55.47 million worth of DAI after signing a malicious transaction.
Earlier this year, another significant attack saw memecoin deployer Pump.fun exploited for nearly $2 million in a “bonding curve” attack. These incidents underscore the persistent security challenges facing the DeFi space and highlight the urgent need for robust protective measures to safeguard investor assets.
As Penpie seeks to recover from this attack, the outcome of the bounty offer remains to be seen. However, the incident serves as a stark reminder of the risks inherent in the rapidly evolving world of decentralized finance.
The post Penpie Protocol offers bounty after $27 million crypto heist, stolen funds laundered via Tornado Cash appeared first on Invezz