Penpie Releases Attack Analysis Report: 11,113.6 ETH Stolen, Will Launch Governance Voting in Snapshot to Determine Compensation Plan
Penpie released an analysis report at the time of the attack, which stated that its platform was attacked on September 3, resulting in the theft of 11,113.6 ETH (approximately $27,348,259). Deposits and withdrawals are currently suspended, and the front-end recovery is complete. It is reported that the hackers exploited a reentry protection vulnerability in the PendleStakingBaseUpg :: batchHarvestMarketRewards () function. By re-entering the PendleStakingBaseUpg :: depositMarket () function during the reward acquisition process, the malicious SY contract repeatedly added new deposits from Lightning Loan, which allowed the attacker to manipulate the reward tokens and the amount sent to the fake Pendle Market depositors, who were the attackers themselves.
At this stage, Penpie is actively working with law enforcement agencies to identify and apprehend the attackers. It has also sent on-chain messages to the hackers on multiple occasions seeking white hat negotiations, but has not received a reply yet. In addition, the community has been provided with updated information on the status of deposits, withdrawals and other related developments. Penpie said that the follow-up will be a comprehensive review of all protocols and smart contracts to identify vulnerabilities, regular audits of the entire protocol, real-time monitoring and automatic suspension of the system, to maintain resilience and move forward. In addition, a thread will be opened in the governance forum to gather suggestions and feedback from the community, so as to start developing a compensation plan. A governance vote will then be created on Snapshot to finalize the compensation plan.