Author: Grapefruit, ChainCatcher
Editor: Marco, ChainCatcher
On September 5, Penpie, an income product built on the income tokenization protocol Pendle, wrote in its latest security incident report that the hacker attack caused it to lose more than $27 million worth of ETH.
According to DeFiLlama, the locked crypto assets (TVL) on the Penpie platform are approximately US$90 million, and hackers have stolen approximately one-third of the assets on the platform.
Although the Penpie protocol is not well-known in the crypto space, the DeFi protocol behind it has a huge impact on the crypto industry. First, the underlying yield tokenization protocol Pendle holds about $2.5 billion in interest-bearing assets such as LST, LRT, and stablecoins; in addition, as one of the subDAO products created by Magpie, the value of crypto assets locked in the Magpie ecosystem has exceeded $1.3 billion.
Penpie was stolen for $27 million, and the Pendle token fell more than 10% that day
On the morning of September 4, it was revealed that Penpie, an income product built on Pendle, was being attacked by hackers due to a contract vulnerability, with the value of the lost assets exceeding US$27 million.
After the news broke, the Penpie platform token PNP fell by more than 35% and is now fluctuating around US$0.9.
Subsequently, Penpie officially responded that it had suspended all deposit and withdrawal operations and that the team was dealing with the issue. It also sent an open letter to the hacker, expressing its willingness to negotiate with the hacker on the return of the stolen funds.
In its latest security report on September 5, Penpie stated that a hacker exploited a security vulnerability in its platform and stole more than $2,700 worth of ETH assets (specifically 11,113.6) from Arbitrum and the Ethereum network by manipulating a fake Pendle market.
The users of multiple LST asset protocols who stored their assets on Penpie were most affected by the attack, including Kelp DAO's agETH, Swell's rswETH, Lido's stETH, Ethena's sUSDe and Gains' gUSDC.
Penpie is a DeFi yield-enhancing governance protocol built on the yield tokenization protocol Pendle. It mainly helps users simplify the staking and locking of Pendle tokens PENDLE by providing veToken services to enhance the returns of Pendle token holders.
As we all know, Pendle splits interest-bearing assets such as LST and LRT into principal tokens (PT) and yield tokens (YT) for users to trade.
The relationship between Penpie and Pendle is similar to the relationship between Convex and Curve. Pendle native token holders can obtain mPENDLE by staking their tokens PENDLE through Penpie. Holding mPENDLE tokens can not only obtain rewards from the Pendle protocol, but also another layer of rewards from Penpie's native token PNP.
In short, Penpie extracts the staking, locking, voting, acceleration and other processes from Pendle's veToken model and makes it a separate product that operates on behalf of users. That is, when users convert PENDLE to mPENDLE, Penpie will automatically lock the converted PENDLE into vePENDLE in Pendle Finance, and users can also get more rewards in Penpie's native token PNP.
According to Dune data, the amount of vePENDLE staked through Penpie is approximately 12.74 million (worth approximately US$38 million), accounting for nearly 38% of vePENDLE, making it the protocol with the highest vePENDLE holdings.
However, this security incident did not have much impact on Pendle's assets. The hacker mainly attacked the assets in the unnecessary funding pool on the Penpie platform.
In May this year, the Penpie platform launched a new permissionless asset pool function, which allows users on Pendle to build their own LP fund pool of any PT or YT token on the platform, such as Swell's rswETH LP. Then, users can deposit LP on the Penpie platform to get an additional PNP token reward, achieving the goal of killing two birds with one stone.
This security attack was caused by hackers exploiting a vulnerability in the Penpie platform and building a fake Pendle fund pool on the platform to transfer funds.
After the security incident broke out, Pendle first stated that it had quickly suspended the relevant contracts, effectively protecting about $105 million. Soon after, it announced that all Pendle contract operations had been restored and transactions could now proceed normally. The security vulnerability was limited to the Penpie platform, and the assets on Pendle were not affected and were safe.
In addition, Equilibria, another yield enhancement protocol on Pendle, stated in a statement that the platform assets are safe and its contract code (different from Penpie) requires the approval authority of the core team to add the Pendle market pool on Equilibria, and there is a 7-day waiting period for the issuance of rewards.
However, on the day Penpie was attacked, the Pendle token PENDLE fell by more than 10% and is currently priced at $2.79.
What impact does the theft of Penpie have on Magpie products?
Penpie is one of the representative products created by Magpie. The impact of this security incident on the Magpie ecosystem has attracted more attention from the crypto community users. Now the products of the Magpie ecosystem have penetrated into multiple DeFi protocols. Once security incidents occur in a concentrated manner, the scope of impact will be huge.
Magpie is a multi-chain DeFi management platform, known as "Magpie" by the Chinese community. It mainly provides enhanced yield services for DeFi protocol users that adopt the veToken economic model. It is currently also focused on providing re-staking LST/LRT services.
Unlike common DeFi products such as cross-chain DEX, the Magpie platform creates, expands and manages multiple DeFi protocols within the ecosystem through the SubDAO model. Each SubDAO operates independently, is responsible for a separate protocol, and issues its own governance tokens. Then, 15-20% of the governance tokens issued by each sub-DAO will be submitted to the Magpie vault.
Currently, there are 10 subDAOs in the Magpie ecosystem, which can be divided into two categories:
One type is to provide enhanced services for veToken of DeFi protocols, such as Penpie based on income tokenization, Cakepie of DEX platform PancakeSwap, Wompie of DEX platform Wombat Exchange, and Radpie of multi-chain lending Radiant;
The other type is services based on re-staking LST or LRT, such as Listapie of Lista DAO, Eigenpie of EigenLayer, Babypie of Babylon, and Sympie of Symbiotic based on the re-staking protocol.
Crypto KOL @CM once wrote that the products of the Magpie ecosystem have participated in the Pendle war, Cake war, Restaking war, and the upcoming Babylon war. Through subDAO, it has mastered the governance resources of many mainstream DeFi protocols and can be called a "model worker in the crypto industry."
As of September 5, Magpie has accumulated over $1.3 billion in TVL across multiple protocols.
As a DeFi yield enhancement product of the Magpie ecosystem, Penpie will inevitably make its ecosystem users cautious due to sudden security incidents.
Shortly after the security breach was exposed, Penpie immediately stated that the root cause had been found and that all other protocols in the Magpie ecosystem remained secure and unaffected.
Magpie officials also immediately posted on the X platform that after multiple confirmations, all other protocols within the Magpie ecosystem are unaffected and safe.
However, some community users still said that the newly launched BTC re-staking product Babypie based on Babylon is currently promoting financing and preparing for IDO, and may be affected by this incident.
ChainCatcher asked the Babypie team about the impact of Penpie’s security incident on it.
Official community staff stated that each SubDAO operates independently, all funds in other SubDAOs are safe (there are no similar vulnerabilities in other SubDAOs), and all our SubDAO contracts will be re-checked, tested and audited.
