According to ChainCatcher, Beosin Alert monitoring shows that the DeFi protocol Penpie built on Pendle was hacked and about $27 million in crypto assets were stolen. Beosin briefly analyzed the incident as follows:

The attacker uses the claimRewards function in the market contract to re-enter the staking contract to increase the balance of the staking contract, and then withdraws the excess tokens and staked assets of the taking contract to make a profit.

1. The attacker first creates an attack contract and builds the corresponding market contract through the official factory
2. Call the batchHarvestMarketRewards function of the staking contract to update the rewards for the market
3. When updating rewards, the attack contract claimRewards function will be called back, and the assets obtained by the flash loan will be re-entered to pledge, so that the assets of the staking contract will form a quantity difference, and the excess will be extracted
4. The attacker withdraws the pledged assets and returns the flash loan to make a profit