Penpie DeFi protocol flaw exploited to steal $27 million

Penpie, a decentralized finance protocol designed to enhance yield for Pendle Finance users, was exploited for $27 million on September 3 due to a vulnerability that allowed unauthorized creation of a Pendle market assets.

According to blockchain data, the attacker drained various types of staked Ether (ETH), Ethena's sUSDE, and wrapped USDC stablecoins from the protocol. The stolen assets were then predominantly converted to ETH using the Li.fi platform and transferred to a new address, as confirmed by Etherscan data.

The vulnerability stemmed from the "registerPenpiePool" function, which checks whether a Pendle Market is already listed in Pendle Finance's factory contract. However, the "createNewMarket" function allowed any user to list a market in the factory contract, effectively allowing the registration of malicious markets.

The attacker exploited this flaw to create a fraudulent Pendle Market and pool, configured to deliver high-value Pendle tokens as rewards.

Two audits have missed the flaw:

• An earlier audit by Zokyo did not identify this flaw as it was not present in the version reviewed; the audit only covered code that allowed only the protocol team to register a pool.
• A subsequent audit by AstraSec, after the introduction of "permissionless pool registration," also did not detect the vulnerability due to the scope limitation of the audit to new contracts only.

The value of Penpie's token (PNP) plummeted by 40% following the attack.

Pendle's token (PENDLE) also declined by nearly 8% over the past 24 hours, underperforming compared to the 1%-3% decrease in Bitcoin (BTC) and Ethereum (ETH).