Penpie releases attack analysis report: 11,113.6 ETH stolen, compensation plan to be determined by governance vote on Snapshot

According to Golden Finance, Penpie released an analysis report on the attack incident, pointing out that its platform was attacked on September 3rd, resulting in the theft of 11,113.6 ETH (approximately $27,348,259). Currently deposits and withdrawals are suspended while frontend recovery is complete. It's reported that hackers exploited a re-entry protection vulnerability in the PendleStakingBaseUpg::batchHarvestMarketRewards() function by re-entering the PendleStakingBaseUpg::depositMarket() function during reward acquisition process. The malicious SY contract repeatedly added new deposits from flash loans which allowed attackers to manipulate reward tokens and their amounts sent to fake Pendle market depositors who were actually attackers themselves.

At this stage, Penpie is actively cooperating with law enforcement agencies to identify and arrest the attacker(s), and has also sent multiple chain messages to hackers seeking white hat negotiations but has not yet received a response. In addition they have provided updates about deposits/withdrawals and other related developments within their community. Penpie stated it will conduct comprehensive reviews of all protocols and smart contracts for vulnerabilities going forward; perform regular audits of entire protocol; monitor real-time activities; implement automatic suspension systems for resilience while continuing progress. Furthermore they plan on opening a thread in governance forum for collecting community suggestions/feedbacks as part of compensation planning process then create governance voting on Snapshot to finalize compensation plans.