Penpie, a protocol built on top of Pendle, recently experienced a significant security breach that resulted in a loss of funds. In response, the Pendle team swiftly intervened to protect approximately $105 million from further potential losses.
Alert: Penpie has encountered a security compromise.
We have paused all deposits and withdrawals. Our team is working tirelessly to address it. Your patience and support are invaluable during this time.
Stay tuned for further updates.
— Penpie (@Penpiexyz_io) September 3, 2024
The incident began at 1745 UTC when the attacker deployed the first contract used in the attack. The Pendle team’s real-time in-house monitoring system immediately flagged the contract as suspicious due to its connection to Tornado Cash and interaction with Pendle contracts. By 1746 UTC, the team was aware of the red flag and began investigating the potential threat.
The first attack on Penpie occurred at 1823 UTC. Within two minutes, Pendle’s team was fully mobilized, working to defend their ecosystem against any additional threats. By 1834 UTC, they had contacted security experts Seal 911 for assistance in assessing the situation and developing strategies to prevent further attacks.
Post Mortem
Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.
Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK
— Pendle (@pendle_fi) September 4, 2024
At 1845 UTC, Pendle successfully paused all contracts, effectively stopping any further attempts to drain assets from Penpie. This decisive action safeguarded $105 million that could have been lost if the breach had continued. The team also communicated with other protocols using Pendle PTs as collateral to inform them of the contract pause.
Post Mortem
Earlier today, a security breach targeting Penpie led to some loss of funds. In response, Pendle promptly paused our contracts, effectively safeguarding ~$105M that could have been further drained from Penpie.
Thanks to coordinated efforts from multiple parties,… https://t.co/KJd4SIRxPK
— Pendle (@pendle_fi) September 4, 2024
Pendle Team Confirms That Contract Are Secure
By 1852 UTC, Pendle’s development team confirmed that their contracts were secure, and the breach was isolated to Penpie. The vulnerability was traced back to a unique feature in Penpie that allowed for the permissionless listing of Pendle markets.
After ensuring the safety of the contracts, Pendle unpaused all transactions, resuming normal operations. The Penpie team is now preparing a detailed post-mortem report to provide further insights into the incident and measures taken to prevent future occurrences. Pendle’s swift and effective response highlights their commitment to security and the protection of user assets.
All contracts have been unpaused and transactions are now resuming as normal
The breach was contained within Penpie, and funds on Pendle are safe.
The Penpie team is working on a post-mortem report, which will be released soon to provide further details. https://t.co/Z8SIJ70z4B
— Pendle (@pendle_fi) September 4, 2024
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
Image Source: serezniy/123RF// Image Effects by Colorcinch