The decentralized finance (DeFi) ecosystem has been hit by yet another significant security breach. On September 3, 2024, Penpie, a protocol built on the Pendle platform, was hacked, resulting in the theft of approximately $27 million worth of cryptocurrency. This incident has pushed total crypto losses for 2024 beyond $1.2 billion, highlighting the ongoing threat of crypto scams.
Details of the Penpie DeFi Hack
A post-mortem report by Penpie reveals that the hacker exploited a vulnerability in the protocol’s reward distribution mechanism. The attacker deployed a malicious smart contract, referred to as an “evil market,” which inflated the attacker’s staking balance, allowing them to claim a disproportionate amount of rewards. This manipulation led to millions in stolen funds.
In response, Penpie suspended all deposits and withdrawals, halting operations to prevent further losses. The protocol has also filed complaints with the Singapore police and the FBI. Additionally, Penpie reached out to the hacker, offering a negotiated bounty payment in exchange for the return of the stolen funds.
“We acknowledge your exploit of our protocol,” Penpie wrote to the hacker. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned.”
Hacker Praise from Euler Finance Cybercriminal
Shortly after the hack, the Penpie hacker moved about $7 million through Tornado Cash, a crypto mixer designed to obscure the origin of transactions. This technique is frequently used by cybercriminals to launder stolen funds.
Adding to the drama, the hacker behind the Euler Finance hack (responsible for a $195 million DeFi heist in 2023) praised the Penpie hacker for keeping the stolen funds:
“Good job bro… I’m happy you kept all the money and didn’t let these bastards get back one dollar.”
Surge in Crypto Scams in 2024
Unfortunately, the Penpie hack is part of a broader trend. In 2024, cyberattacks in the crypto space have resulted in $1.21 billion in stolen funds, a 15.5% increase compared to the previous year, according to a report by Immunfi. The year has witnessed 154 separate incidents, with the majority occurring in the DeFi sector.
August 2024 alone saw alarming levels of crypto phishing scams, with over 9,000 victims losing about $63 million, marking a 215% increase in stolen funds from the previous month.
Regulation and the Future of DeFi
As DeFi hacks continue to rise, there are increasing discussions around regulation in the sector. While some argue that regulatory intervention is necessary to protect users, others fear it could stifle innovation in the DeFi space. Striking the right balance between security and innovation will be critical for maintaining trust and stability in the DeFi ecosystem.
