Highlights:
- Penpie’s $27M exploit highlights growing DeFi vulnerabilities in 2024.
- Penpie is negotiating with the hacker and offering a bounty.
- Both Penpie and Pendle tokens have faced significant declines following the breach.
On Sept. 3, the decentralized finance (DeFi) protocol Penpie was hit by a massive exploit in which the attacker drained about $27 million in cryptocurrencies. The stolen digital assets include staked ETH and wrapped USDC. Penpie, which is built on Pendle, has acknowledged the exploit and has expressed a willingness to negotiate a bounty for the safe return of the stolen funds.
Penpie confirmed the security breach in a post on X and took immediate action by pausing all deposits and withdrawals. While hacks are not uncommon in DeFi, Penpie’s incident is a recent example. The developers behind Penpie, Magpie, stated that they have identified the root cause of the hack and assured that all other protocols within the Magpie ecosystem remain secure and unaffected. Reports indicate that the hacker exploited a vulnerability in Penpie’s security.
After a thorough investigation, we can confirm that funds on Pendle remain secure.
However, we have identified a security compromise in @Penpiexyz_io, an independent protocol built on top of Pendle.
As a precaution, we have temporarily paused all contracts, and shall maintain…
— Pendle (@pendle_fi) September 3, 2024
According to Lookonchain, the hack stole 2,695 Restaked Swell Ethereum ($6.62 million), 2,723 wrapped stETH ($7.77 million), 2.52 million Ethena Staked USDe ($2.77 million), and 4,101 agETH ($10.17 million). The hacker converted all the stolen assets into 11,109 Ether and deposited 1,000 Ether into Tornado Cash.
Penpie(@Penpiexyz_io) was exploited for $27.3M, including:
2,695 rswETH($6.62M)
4,101 agETH($10.17M)
2,723 wstETH($7.77M)
2.52M sUSDe($2.77M)The hacker exchanged all assets for 11,109 $ETH($27M) and deposited 1000 $ETH($2.34M) into #TornadoCash.https://t.co/u7SYHRL8UI pic.twitter.com/NUcD3Qrv4X
— Lookonchain (@lookonchain) September 4, 2024
Penpie Seeks Positive Resolution with Hacker
Penpie addressed the hacker in its report and expressed optimism about a potential positive resolution that could benefit all parties involved. The protocol highlighted that it is a community-driven project and emphasized the significant value of these funds to its users.
The platform indicated a willingness to negotiate a bounty for the safe return of the funds, offering the hacker a chance to transition into a white-hat role, where their skills could be recognized and rewarded. In return, Penpie guarantees that legal actions will be pursued while keeping the hacker’s identity confidential. Additionally, the hacker will receive a percentage of the recovered funds as a bounty reward.
To the hacker: We acknowledge your exploit of our protocol and believe there's potential for a positive resolution that benefits all parties. Penpie is a community-driven project, and these funds mean a lot to our users. We are willing to negotiate a bounty for the safe return of…
— Penpie (@Penpiexyz_io) September 4, 2024
Penpie and Pendle Tokens Face Sharp Declines Following the Hack
Penpie’s token, PNP, has experienced a significant decline, with its price falling by 34% in the past 24 hours. Its trading volume surged by 1425% during this period, reaching $463,000. As of the latest update, PNP is trading at an average price of $0.984.
Pendle also saw a price drop, decreasing its value by 10% over the last day. PENDLE is currently trading at an average price of $2.85. Its 24-hour trading volume has decreased by 22% to $57.2 million.
Crypto Hacks Surge in 2024
The Penpie exploit highlights a broader trend of increasing crypto hacks in 2024. According to a recent report by Immunefi, hackers have stolen over $1.2 billion across 154 incidents this year, underscoring the pervasive vulnerabilities in DeFi protocols and other crypto platforms.
According to security firm PeckShield, in August 2024 alone, crypto hacks led to losses exceeding $313 million. The two largest incidents that month involved the theft of $238 million in Bitcoin and $55 million in DAI. Phishing attacks have surged, with Scam Sniffer reporting a 215% increase in financial losses in August. Although the number of attacks decreased compared to July, the amount of stolen funds significantly spiked, with one phishing scheme alone yielding $55 million.