Pendle Releases Penpie Attack Analysis Report: Suspend Contracts Immediately After Discovery of Vulnerabilities, Protecting $105 million Assets from Further Losses
On September 4th, Pendle released a Penpie attack analysis report, "Pendle suspended our contract immediately after discovering security bugs, protecting approximately $105 million, which could be further lost from Penpie. At 01:45 today, the attacker deployed the first contract used for the attack. Our real-time internal monitoring system detected it as a suspicious contract, which was funded by Tornado Cash and interacted with the Pendle contract. At 01:46, the team was aware of this red flag and was on alert, and launched an investigation to check if this posed a real security threat to Pendle. At 02:23, the first attack occurred on Penpie, a stand-alone protocol built on top of Pendle. At 02:25 (i.e. approximately 2 minutes after the Penpie security bugs occurred), the Pendle team was fully committed to protecting Pendle and Pencosystem from any subsequent attacks. At 02:34, Pendle also contacted security expert Seal 911 to help assess the situation, evaluate options, and develop appropriate strategies to stop any subsequent related attacks. At 02:45, we managed to suspend all contracts on Pendle. Thereafter, the team contacted the protocol that used Pendle PT as collateral and informed them of the contract suspension. At 02:52, our development team confirmed that the Pendle contract was secure and that the attack was due to an issue specific to Penpie. The vulnerability was found to be related to a unique feature that allows for the unauthorized listing of the Pendle Marketplace on Penpie. At 08:50, after rigorous checks and coordination with all relevant parties confirmed Steps 1 and 2, the Pendle contract has been safely unpaused and is back up and running. "