Penpie is a decentralised finance (DeFi) platform focused on yield farming, built on top of Pendle. On 3rd September 2024, it suffered a devastating exploit leading to the theft of $27 million. The attacker leveraged a vulnerability in Penpie's reward distribution system, specifically targeting the batchHarvestMarketRewards()
function through a reentrancy attack.
Behind the Breach
The attack happened when the hacker manipulated Penpie's smart contracts by registering a malicious market. The vulnerability allowed the attacker to re-enter Penpie's staking contracts and harvest rewards excessively. The core issue lay in the permissionless market creation process, which lacked proper validation, enabling the hacker to create a fake market and exploit it using LP tokens.
Lessons from the Incident
This breach highlights the dangers of permissionless contract systems. To mitigate such risks, DeFi protocols should enforce stricter access controls for market creation, implement reentrancy guards in their code, and regularly review their contracts through comprehensive security audits to identify such vulnerabilities early.
Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and 360 degree security services for Web3. Visit rivanorth.com to find out more.
You build the future. We help you secure it.