[Update] Pike Finance Hacked Twice in Just 5 Days
![[Update] Pike Finance Hacked Twice in Just 5 Days](/content/images/size/w1200/2024/07/20240427063704-b9fa3b7d-e392-476c-86de-a3e27c02991b-46.jpg)
Pike Finance, a cross-chain lending protocol, has suffered two major hacks within just five days, resulting in millions of USD in losses.
Update Morning of 01/05:
On the morning of 01/05, the DeFi community on Twitter noticed unusual transactions involving the liquidity pools on Ethereum, Arbitrum, and Optimism of Pike Finance. The amounts transferred were 479 ETH, 99,970 ARB, and 64,126 OP, totaling approximately 1.7 million USD.
another hack on Ethereum @PikeFinance TX : 0xe2912b8bf34d561983f2ae95f34e33ecc7792a2905a3e317fcc98052bce66431
— Ancilia, Inc. (@AnciliaInc) April 30, 2024
Details of the Attack:
- Hacked Address: 0xe2912b8bf34d561983f2ae95f34e33ecc7792a2905a3e317fcc98052bce66431
- Method of Attack: The hacker exploited a vulnerability in Pike Finance’s
the contract was upgraded by the attacker pic.twitter.com/EoXHem7MBj
— Ancilia, Inc. (@AnciliaInc) April 30, 2024
Pike Finance admitted to being attacked on 30/04. The project stated that during the process of patching the 26/04 vulnerability, the smart contract was paused. However, this pause changed technical parameters, allowing the hacker to gain control over the smart contract of the pools.
Attention Users:
— Pike (@PikeFinance) May 1, 2024
On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH.
This exploit is related to the initial USDC vulnerability that was reported last week on the 26th of April.
In order to pause the protocol, the spoke…
Pike Finance’s Offer:
Pike Finance has proposed a 20% bounty if the hacker returns the stolen assets.
Update 29/04:
Pike Finance released the latest report on the incident. According to the report, the vulnerability did not stem from CCTP’s product or Gelato's automation service. Instead, issues in Pike Finance’s end-to-end condition checks allowed the messages to be forged, enabling the hacker to drain funds from the pools.
In case you missed it - check out the Post-Mortem for the recent exploit which includes what happened, how we responded, and what our next steps are.https://t.co/VmAsm4OMrO pic.twitter.com/WdLhVOAM1W
— Pike (@PikeFinance) April 29, 2024
Original Post on 27/04:
Pike Finance announced that the USDC pools on Ethereum, Arbitrum, and Optimism were hacked early on 27/04, with an estimated loss of about 300,000 USDC. The cause of the incident was forged cross-chain messages on Circle’s CCTP network, the issuer of USDC.
Attention Pike Users:
— Pike (@PikeFinance) April 26, 2024
It has come to our attention that the USDC pool on Pike Beta has been exploited by a hacker on 2024-04-26 00:13:59 (UTC). The total amount of USDC exploited is 299,127.
The root cause is led by forged CCTP message to drain USDC on Ethereum, Arbitrum and…
Although the USDC pools on the Base network were not affected, Pike Finance is investigating the vulnerability and plans to compensate affected users. Details of the vulnerability have not been disclosed, and Circle and the CCTP bridge have yet to issue a specific statement.
About Pike Finance:
Pike Finance is a lending solution that allows users to take out cross-chain loans, with collateral distributed flexibly across multiple networks.
