We should admit the DeFi little world is quite wild, and there are still some scams and hacks here and there. Now the bad turn is for Pickle Finance, an Ethereum-based platform for yield farming that just got hacked, with around 19.7M USD robbed the last November 21.
Pickle Finance was born last September, offering its Liquidity Providers (yield farmers) to stake some ETH and stablecoins to get its native token, the PICKLE, as a reward. The promised Annual Percentage Yield (APY) ascended to even 1,432%, but that would be difficult with its discovered flaws.
According to a blog post by the Pickle Finance team, the pDAI PickleJar was the affected contract, from where 19,759,355 DAI was drained. The attack was very sophisticated and leveraged on some design flaws and especially on a feature that enables direct swaps between Jars (vaults).
Immediately after the attack on the DeFi protocol, the team joined forces with some white hat hackers to figure out the matter. It took them long hours to discover and replicate how exactly the attack was made because it was very complex. They declared about it:
“The first step was to reverse-engineer the transaction and see if we can write the code to replicate the attack. After many hours, the team (now totaling more than 10 people) finally figured out how it was executed (…) This was a very complicated attack and involved many components of the Pickle protocol. As of right now, it does not seem that any other funds are at risk”.
The team managed to successfully patch the vulnerability. However, they were asking the yield farmers to withdraw their funds from that specific Jar, and stop the deposits as well. The other Jars weren’t affected, so, they can be used safely.
Despite all the efforts, PICKLE’s price suffered the consequences by losing around 65% of its value. Since the incident, it has recovered a bit, but it’s still under the original price.
Before this one, the DeFi lending and savings protocol Akropolis, based on Ethereum, was hacked as well. The attacker siphoned 2M USD in DAI from their Ycurve and sUSD pools on November 12. This happened despite the two audits in the protocol by two different firms. Apparently, the hacker found non-yet-discovered exploits in the flash loans.
Sadly, Pickle Finance and Akropolis aren’t alone. By the end of October, the popular Harvest Finance was hacked too, and that time with a higher figure: $24M were siphoned from their USDC and USDT vaults. The price of its native token, FARM, plummeted by 62.2%, and it didn’t recover yet.
It seems like DeFi hacks are becoming commonplace, especially on Ethereum. This blockchain is in the process to change and improve its entire system, but we’ll still have to wait some years to see that.
Featured image by Andreas Göllner / Pixabay
Originally published at https://blog.alfa.cash on November 22, 2020.