Apr 2024 - Pike Finance USDC Withdrawal Vulnerability - $299k (Global)
Pike Finance
The smart contract had a vulnerability which was reported and ignored, allowing the theft of $299k wroth of USDC.
Attacker:
0xAdaF1626aEC26A7937aE7d1Fa0664e6E0904C1d0
Target Contract: 0x7856493B59cdb1685757A6DcCe12425F6a6666a0
Attack Transaction:
0x979ad9b7f5331ea8034305a83b5cd50aea88adec395fff8298dd90eb1b87667f
"On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH."
"While we continue our investigation, we are offering a 20% reward for the return of the funds, or information leading to the recovery of funds."
Ongoing.
The Pike Finance team published a blog post with the plan forward.
"In the coming days, we will disclose a full list of wallet addresses with active supply and borrow positions prior to the protocol halt as of April 26 08:35 PM UTC. Addresses with a supply position will have a credit balance, and addresses with a borrow position will have a debit balance. We will calculate the Net Balance [Total Value of Supply - Total Value of Borrow] and assess whether liquidation levels have been triggered using asset prices as of April 26 08:35 PM UTC. Addresses with a positive net balance after accounting for liquidation checks will be restituted in full directly to their wallets ($OP via Optimism, $ARB via Arbitrum, $ETH and $USDC via Base)."
"The Community Treasury allocation of $P has been set aside for various usages, however one of these is of course, as an insurance fund.
As a result, we will be using 4% of the total supply of $P (from the Community Treasury allocation) as collateral to borrow the necessary stablecoin funds from the team treasury (around $2M USD across both exploits).
These will then be used to purchase the relevant assets on the open market and reimburse users for what they had within Pike prior to the exploit.
As the protocol generates revenue and launches the $P token, this loan will then be paid back accordingly - transferring the $P tokens used as collateral to the Foundation Treasury.
Once the debt is repaid, the $P will be released back to Insurance pool"
Refunds.
Further Analysis
Pike Finance is a loan protocol which allows loans to be taken out using collateral on other chains. As part of their deployment, there was a known and identified issue where USDC can be withdrawn without proper validation. The team corrected the vulnerability with an upgrade which allowed all the assets to be drained from their smart contract, then eventually offered refunds to users.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
XBank Finance Precision Loss Attack > > < < FENGSHOU (NGFS) DelegateCallReserves Attack
Sources/Further Reading
@RektHQ Twitter (Dec 31)
Rekt - Pike Finance - Rekt (Dec 31)
@PikeFinance Twitter (Dec 31)
Pike | Universal Liquidity Protocol (Dec 31)
Introduction to Pike | User Docs | Pike (Dec 31)
Pike: A Path Forward — Pike (Dec 31)
Post-Mortem Report: Pike USDC Withdrawal Vulnerability — Pike (Dec 31)
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan
(Dec 31)
https://zapper.xyz/account/0xadaf1626aec26a7937ae7d1fa0664e6e0904c1d0?tab=history (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
BaseScan Transaction Hash (Txhash) Details | Base
(Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|