Pendle Funds Remain Safe Following $28 Million Penpie Protocol Hack
Penpie is currently on hold and seeking negotiations with the hacker to recover the stolen funds. Pendle continues to operate as usual.
Pendle has assured its users that its protocol funds remain secure, despite a recent hack on the Penpie Protocol.
đź’ˇ
Penpie, an independent platform, operates above Pendle and allows $PENDLE holders to transform their tokens into $mPENDLE for potentially high returns. Utilizing Pendle Finance’s veTokenomics model, Penpie offers additional $PENDLE rewards.
The security breach saw an attacker siphon off around $28 million in assets from Penpie protocol, including different types of staked ETH, sUSDE from Ethena, and wrapped USDC stablecoins. The attacker converted the stolen funds to Ethereum via Li.fi and then moved them to a new address. Despite the impact on Penpie, Pendle itself reported no direct financial losses.
The quick response from Pendle’s team, which included pausing the protocol, prevented further exploitation of Penpie and protected around $105 million. Pendle’s in-house monitoring systems immediately flagged suspicious activities linked to Tornado Cash and interacting with Pendle’s contracts.
The alerting and response were exceptional, preventing further losses to Penpie users. It's even more impressive when you consider it occurred in the middle of the night during Singapore hours.
According to subsequent analyses and a postmortem report, the attacker was able to exploit Penpie through the creation of a fake market and counterfeit tokens. Unfortunately Penpie did not account for this in their security measures, which led to a reentrancy attack, exploiting Penpie’s protocols.
As of now, Penpie remains paused, and its team has indicated a willingness to negotiate with the hacker. In an attempt to recover the stolen funds, they have offered the hacker no legal action, anonymity, and a possible bounty reward for their cooperation in resolving the breach.
Pendle has already resumed operations, and its protocol works normally.
Since our last report, Pendle’s TVL has decreased from $4.4 billion to around $2.5 billion. This significant drop was due to the maturity of several liquid restaking markets in June. The maturation of these markets allowed users to redeem their staked funds, leading to substantial capital withdrawals.
Pendle’s team is currently collaborating with other protocols to restore the TVL. Additionally, the team is developing PendleV3 to introduce new yield strategies for DeFi users.
đź’ˇ
Liquidity staking protocols such as Lido allow for the leverage of investment in staking with a range of liquid staking derivate (LSD) primitives. One method, called looping, allows re-staking (different from restaking) of the same funds by converting liquid staking tokens into the original staked assets multiple times. Pendle protocol allows users to do the same thing with one unique feature: the liquid staking tokens of Pendle are split into principal and yield elements. Those who want amplified leverage can get more yield tokens in exchange for the principal tokens. On the other side of the protocol, those who get principal tokens receive them at a discount, allowing them to buy the principal asset, such as ether, at a lower price.
The recent hack did not significantly impact Pendle’s TVL and price. In contrast, Penpie’s token has fallen by 30%, and its TVL has also dropped significantly. At this time, it is uncertain if Penpie will be able to recover from such a substantial financial loss.
Members Discussion