Beosin: Analysis of the Attack on the DeFi Protocol Penpie Resulting in Approximately $27 Million in Asset Losses

ChainCatcher news, according to Beosin Alert monitoring, the DeFi protocol Penpie built on Pendle has been hacked, resulting in the theft of approximately $27 million in crypto assets. Beosin provides the following brief analysis of the incident:

The attacker exploited the claimRewards function in the market contract to re-enter the staking contract, increasing the staking contract balance, and then withdrew excess tokens and staked assets from the taking contract for profit.

1. The attacker first created an attack contract and constructed the corresponding market contract through the official factory.
2. Called the batchHarvestMarketRewards function of the staking contract to update rewards for the market.
3. During the reward update, the attack contract's claimRewards function is called back, allowing for re-entry to stake the assets obtained from the flash loan, creating a discrepancy in the asset quantity of the staking contract, and withdrawing the excess.
4. The attacker withdrew the staked assets and repaid the flash loan for profit.