Pendle has assured its users that its protocol funds remain secure, despite a recent hack on the Penpie Protocol.
The security breach saw an attacker siphon off around $28 million in assets from Penpie protocol, including different types of staked ETH, sUSDE from Ethena, and wrapped USDC stablecoins. The attacker converted the stolen funds to Ethereum via Li.fi and then moved them to a new address. Despite the impact on Penpie, Pendle itself reported no direct financial losses.
The quick response from Pendle’s team, which included pausing the protocol, prevented further exploitation of Penpie and protected around $105 million. Pendle’s in-house monitoring systems immediately flagged suspicious activities linked to Tornado Cash and interacting with Pendle’s contracts.
The alerting and response were exceptional, preventing further losses to Penpie users. It's even more impressive when you consider it occurred in the middle of the night during Singapore hours.
According to subsequent analyses and a postmortem report, the attacker was able to exploit Penpie through the creation of a fake market and counterfeit tokens. Unfortunately Penpie did not account for this in their security measures, which led to a reentrancy attack, exploiting Penpie’s protocols.
As of now, Penpie remains paused, and its team has indicated a willingness to negotiate with the hacker. In an attempt to recover the stolen funds, they have offered the hacker no legal action, anonymity, and a possible bounty reward for their cooperation in resolving the breach.
Pendle has already resumed operations, and its protocol works normally.
Since our last report, Pendle’s TVL has decreased from $4.4 billion to around $2.5 billion. This significant drop was due to the maturity of several liquid restaking markets in June. The maturation of these markets allowed users to redeem their staked funds, leading to substantial capital withdrawals.
Pendle’s team is currently collaborating with other protocols to restore the TVL. Additionally, the team is developing PendleV3 to introduce new yield strategies for DeFi users.
The recent hack did not significantly impact Pendle’s TVL and price. In contrast, Penpie’s token has fallen by 30%, and its TVL has also dropped significantly. At this time, it is uncertain if Penpie will be able to recover from such a substantial financial loss.