By: Jiujiu@SlowMist Security Team

background

According to the SlowMist security team, on September 4, 2024, the decentralized liquidity income project Penpie was attacked, and the attacker made a profit of nearly 30 million US dollars. The SlowMist security team analyzed the incident and shared the results as follows:

(https://x.com/Penpiexyz_io/status/1831058385330118831)

Prerequisites

Pendle Finance is a decentralized financial yield trading protocol with over $4.5 billion in total locked value. The protocol successfully integrated with Magpie to optimize yield opportunities and enhance its veTokenomics model. On this basis, the Penpie project introduced liquidity mining capabilities to enable passive income on Pendle Finance's market.

Pendle Finance includes the following important concepts:

  • PT (Principal Token): represents the principal at a certain point in the future. Holding PT means holding the ownership of the principal, and it can be redeemed after maturity. For example, if you have a PT-stETH option that expires in 1 year, then you will be able to redeem stETH worth 1 ETH in 1 year.

  • YT (Yield Token): represents future earnings. Holding YT means you own all the real-time earnings generated by the underlying assets, and you can manually claim the accumulated earnings on Pendle at any time. If you own 1 YT-stETH, and the average yield of stETH is 5%, then at the end of one year, you will have accumulated 0.05 stETH.

  • SY (Simple Yield): A contract used to wrap any interest-bearing token. It provides a standardized interface that can interact with the yield generation mechanism of any interest-bearing token.

  • LPT (Liquidity Provider Token): represents a liquidity market and serves as a certificate for providing liquidity of underlying assets.

  • PRT (Pool Reward Token): represents the deposit certificate of LPT tokens deposited by users in the Penpie pool.

root cause

The core of this incident is that when Penpie registered a new Pendle market, it mistakenly assumed that all markets created by Pendle Finance were legal. However, Pendle Finance's market creation process is open, allowing anyone to create a market, and key parameters such as the SY contract address can be customized by the user. Taking advantage of this, the attacker created a market contract containing a malicious SY contract, and took advantage of the mechanism that the Penpie pool needs to call an external SY contract when obtaining rewards, and used flash loans to add a large amount of liquidity to the market and pool, artificially magnifying the reward amount, thereby making a profit.

Attack Steps Analysis

Attack preparation

Transaction Hash: 0x7e7f9548f301d3dd863eac94e6190cb742ab6aa9d7730549ff743bf84cbd21d1

1. First, the attacker creates PT and YT yield contracts through the createYieldContract function of the PendleYieldContractFactory contract, sets SY as the attack contract address, and calls the createNewMarket function of the PendleMarketFactoryV3 contract to create the corresponding market contract 0x5b6c_PENDLE-LPT.

2. Next, the attacker uses registerPenpiePool of the PendleMarketRegisterHelper contract to register the Penpie pool. During this process, the deposit certificate PRT token contract and the related rewarder contract are created, and the pool information is registered in Penpie.

3. Subsequently, the attacker calls the mintPY function of the YT contract to mint a large amount of YT and PT, the amount of which depends on the exchange rate returned by the attack contract (SY contract).

4. Immediately afterwards, the attacker deposits PT into the market 0x5b6c_PENDLE-LPT and mints LP tokens.

5. Finally, the attacker deposits the LP tokens into the Penpie pool in exchange for deposit receipt PRT tokens.

Formal attack

Transaction Hash: 0x42b2ec27c732100dd9037c76da415e10329ea41598de453bb0c0c9ea7ce0d8e5

1. The attacker first borrowed a large amount of agETH and rswETH tokens through flash loans.

2. Call the batchHarvestMarketRewards function of the Penpie pool to collect rewards from the specified market in batches. This operation triggers the redeemRewards function of the market contract 0x5b6c_PENDLE-LPT.

3. In the redeemRewards function, the claimRewards function of the SY contract (attack contract) is called externally. During this period, the attacker uses flash loan funds to increase liquidity for the reward tokens (the attack contract specifically sets the reward tokens to two market tokens 0x6010_PENDLE-LPT and 0x038c_PENDLE-LPT), and deposits the obtained market tokens into the Penpie pool to obtain the corresponding deposit certificate tokens.

4. These newly deposited market tokens into the Penpie pool are then treated as calculated rewards and transferred to the Rewarder contract through its queueNewRewards function.

Since the attacker is the only one who has made a deposit in the 0x5b6c_PENDLE-LPT market, the multiclaim function of the MasterPenpie contract can be called immediately to extract this part of the LPT tokens in the Rewarder contract.

5. Finally, the attacker burns the deposit certificate PRT obtained in the third step through the withdrawMarket function of the PendleMarketDepositHelper contract, redeems the market tokens, and removes liquidity from these market tokens together with the rewards extracted in the previous step, and finally obtains the underlying asset tokens (agETH and rswETH) to realize profits.

Summarize

This security incident exposed the problem of insufficient verification in the market registration process of Penpie, and over-reliance on the market creation logic of Pendle Finance, which enabled attackers to control the reward distribution mechanism through malicious contracts and obtain excess rewards. The SlowMist security team recommends that project parties add a strict whitelist verification mechanism when registering the market to ensure that only verified markets are accepted. In addition, for key business logic involving external contract calls, audits and security tests should be strengthened to avoid similar incidents from happening again.