The decentralized finance (DeFi) ecosystem has been rocked by another major security breach. Penpie, a protocol built on the Pendle platform, suffered a hack on September 3, 2024. The protocol reported that the breach resulted in the theft of approximately $27 million worth of cryptocurrency. This Penpie Defi hack adds to the already worrying rise in crypto scams, pushing total losses for 2024 past a staggering $1.2 billion.
Penpie DeFi Hack Details
Penpie’s autopsy report sheds light on some of the details of the exploit. It reveals that the attacker exploited a vulnerability in Penpie’s reward distribution mechanism. This vulnerability allowed the attacker to deploy a malicious smart contract, categorized as an “evil market,” that inflated the attacker’s staking balance on the platform. By manipulating this balance, the attacker was able to claim a much larger share of rewards than intended, ultimately draining millions of dollars in crypto assets.
After the hack, the blockchain suspended all deposits and withdrawals, halting operations to prevent further losses. The team also filed complaints with the Singapore Police and the FBI. It also sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of the funds.
“We acknowledge that you have exploited our protocol,” they wrote. “Please contact us to discuss terms in confidence. No legal action will be taken if the funds are returned. Let’s find a mutually beneficial solution.”
Euler Finance Cybercriminal Praises Penpie Hacker
Shortly after the incident, reports surfaced that the Penpie hacker quickly transferred a significant portion of the stolen funds – approximately $7 million – through the Tornado Cash cryptocurrency mixer. These mixers are designed to obscure the origin and destination of cryptocurrency transactions, making them a popular tool for criminals looking to launder ill-gotten gains.
After the cryptocurrency hack, another notorious hacker from Euler Finance, responsible for a $195 million theft in DeFi in 2023, left traces on the blockchain. The message, addressed to the hacker Penpie, expressed congratulations for his decision not to return the stolen funds.
“Good job bro. I haven’t seen a hack like that in a while. I’m glad you kept all the money and didn’t let those bastards get a single dollar of what you took. You won, they lost. Good job,” they wrote.
More than 9,000 victims in August due to laptop phishing scams
Unfortunately, the Penpie incident is just one of many major DeFi hacks in 2024. The cryptocurrency landscape continues to be plagued by cyberattacks, with the total value of stolen funds in 2024 exceeding $1.21 billion. This represents a 15.5% increase from the previous year, according to a report by Immunfi. The losses are spread across 154 separate incidents, with the majority occurring in the DeFi space.
August 2024 was a particularly alarming month for cryptocurrency investors, as hackers exploited various vulnerabilities to steal millions of dollars. Two major attacks during this period resulted in the theft of approximately $238 million in Bitcoin and $55 million in Dai.
Phishing scams also saw a sharp increase in August, with Scam Sniffer reporting a 215% increase in stolen funds compared to the previous month. More than 9,000 victims fell victim to these scams, losing approximately $63 million. A single large-scale phishing attack accounted for the majority of these losses, with approximately $55 million stolen.
Regulation and the future of DeFi
The increasing frequency of DeFi hacks has also sparked discussions around possible regulations. While some advocate for a more hands-on approach from regulators, others argue that such measures could stifle innovation and the fundamentals of DeFi.
Finding the right balance between security and innovation remains a challenge. However, it is clear that addressing security vulnerabilities will be critical to fostering long-term trust and stability in the DeFi ecosystem.
