In a post-mortem published on Wednesday, the decentralized finance (DeFi) protocol Pendle claimed to have safeguarded around $105 million in funds that could have been drained following a $27 million hack of the Pendle-based yield optimizer Penpie.
According to the post, the attack on Penpie on Tuesday resulted in the loss of approximately $27.3 million worth of various stolen assets, which were subsequently exchanged for 11,109 ETH.
Blockchain security firm PeckShield attributed the root cause of the exploit to the introduction of an “evil market” – a malicious contract used to inflate the staking balances on Penpie and claim unwarranted rewards.
While the attacker managed to successfully exploit the Penpie protocol, Pendle said its in-house monitoring system promptly detected the suspicious contract, which had been funded from Tornado Cash. However, Pendle was unable to prevent the initial attack.
Pendle claimed that thanks to coordinated efforts from multiple parties, further breaches were mitigated, and Pendle contracts have now been unpaused, with normal operations resuming. The project reassured users that funds on the Pendle platform remain safe and unaffected.
The incident has had a significant impact on the prices of the affected tokens. Penpie’s PNP token fell more than 33% immediately following the hack, while Pendle’s native token is down around 9% over the past 24 hours.
Penpie, which remains stopped, afterward said it was willing to arrange with the programmer and advertised no legitimate activity to be sought after, the attacker’s personality to stay secret, and a rate of the stores as a bounty to compensate in trade for the hacker’s participation.
