DESCRIPTION OF EVENTS
"DeFiPie (PIE) [is a] lending protocol on the Ethereum and Binance smart chain." "DeFiPie combines some of the best features of money market protocols, while offering its own unique features, enabling users to enjoy the promises of Decentralized Finance." "DeFiPie combines the best aspects of many Decentralized Finance (DeFi) applications to create the ultimate DeFi experience. Users can create custom liquidity pools, engage in the DAO and governance, use the PIE token to borrow funds, and begin earning annual percentage yields over 100%."
"Lenders and borrowers can lend or borrow crypto assets in a decentralized manner without passing a registration, doing a KYC and trusting a third party. Investors, traders, and speculators can offer their idle capitals as custom pools with a fixed rate for lending. Liquidity Provider can provide assets to existing pools and farm the Governance Token PIE with an annual percentage yield of up to 150%. Users can also stake PoS-based assets in existing pools to earn staking rewards according to the underlying protocols."
"The DeFiPIE protocol is a series of interest rate pools running on a variety of blockchains. When users and applications deposit their assets to the DeFIPIE Protocol, they begin earning a variable interest rate instantly. Interest accrues every block (for Ethereum ~13 seconds, for Binance Smart Chain ~3 seconds), and users can withdraw their principal plus interest anytime."
"When users deposit assets, they receive pTokens from DeFiPIE in exchange. pTokens are ERC20 tokens that can be redeemed for their underlying assets at any time. As interest accrues to the assets deposited, pTokens are redeemable at an exchange rate (relative to the underlying asset) that constantly increases over time, based on the rate of interest earned by the underlying asset."
"On the night of July 12–13, under cover of night, [an] attacker was able to withdraw almost all available liquidity from the protocol in ETH and BSC networks."
"The evil pTokens allow for nested borrows." "The main feature of the DeFiPIE protocol was that anyone can create new pools for any token. It was this feature that allowed the hacker to create a pool for the malicious token." The attacker "created a token contract (X token) with a modified transfer function. (X1, X2). He [then] created pools for X tokens and deposited liquidity. He provided real collateral (USDT, DAI, USDC, etc). He borrowed X tokens and real token (PIE and other) and with modified transfer function in X token he could borrow more than he provided collateral. After that[,] from his second account[,] he liquidated loans of X tokens in the first account thereby return[ing] the collateral."
The team "tweeted that its application was hacked." "According to CoinGecko data, PIE tokens [fell] by more than 66% in 24 hours."
"The team [started] working with security auditing companies to find a solution. It [was] recommended that all liquidity providers extract all from the application. fluidity. Currently holding assets on the DeFiPie application is not safe." "Right now, we have created governance proposals in all networks to set pause guardian, after which we will pause the possibility of liquidations and borrowing. This will avoid re-attacking."
"[W]e’ll be creating a new token." "Old $PIE tokens won’t be accepted anymore." "[A]ll $PIE holders have to deposit old $PIE tokens to the DeFiPie application and receive pPIE tokens in exchange." "Those who will have pPIE tokens will receive new locked $PIE tokens (we’ll announce the address of the new smart contract a bit later). DeFiPie team will create custom smart contracts, where you have to deposit (stake) your pPIE tokens and only in this case you’ll able to receive new $PIE tokens. We won’t support exchanges or cold wallets with old $PIE tokens. You’ll receive new $PIE tokens only if you’ll deposit pPIE tokens into a special smart contract developed by the DeFiPie team."
"We’ll try to do our best for all investors and partners, but unfortunately we can’t compensate all amounts of money right now." "Investors and partners, who were ready to convert their holdings to the price a day before the hack (12 July) will be in #1 queue. They’ll be able to receive a 25% APY bonus on their investment amount. You’ll able to receive compensation on your native investment without any APY, but you’ll be in #2 queue."
"We will not say that everything was broken, and now we plan to work in the future and continue to rebuild our product — we have to find new way, change something and provide more value than previously expected."
"For the past few weeks, we’ve been hard at work on next steps and plans for DeFiPie and a solution has finally come! We’re ready to present a rebranding program for DeFiPie, and our future plans and vision! So, read and chill!"
"DeFiPie is going to rebrand its name — DeFiPie is going to be called pieLABS — the first laboratory of decentralized finances!" "pieLABS will be the principal company under the DeFiPie project. From today, DeFiPie is only one part of a more complex product of the pieLABS ecosystem." "All-in-one does not just mean the DeFi and NFT market. We’re going to operate like crypto bank!"
The DeFiPie smart contract allowed custom smart contracts to be added, which enabled a re-entrancy attack.
The issue was subsequently fixed. DeFiPie is planning to reimburse users and rebrand to a new name - pieLABS.
HOW COULD THIS HAVE BEEN PREVENTED?
Re-entrancy attacks are a common mistake that can exist in smart contract hot wallets. They may be detectable through the right security audit.
In order to be more certain of security, offline cold storage and a proper multi-sig is best.
SlowMist Hacked - SlowMist Zone (May 17)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)
Hacking Investigation (Aug 10)
@peckshield Twitter (Aug 10)
Binance Transaction Hash (Txhash) Details | BscScan (Aug 18)
DeFiPie price, PIE chart, market cap, and info | CoinGecko (Aug 18)
Getting Started - DeFiPIE (Aug 18)
Defipie Compensation Plan Next Steps (Aug 18)
Defipie Rebranding Announcement (Aug 18)
DeFiPie Gets Hacked, Working to Solve Issue with Help From PeckShield (Aug 18)
@defipiepie Twitter (Aug 18)