In the latest of a long string of decentralized finance protocol exploits, Pickle Finance lost as much as $20 million in an attack on its DAI farms this weekend.
The DeFi protocol posted that hackers exploited its DAI ‘pickejar’ strategy and that it was looking into the incursion. In what appears to be another flash loan attack, almost $20 million in DAI has been stolen.
DeFi researcher Nick Sawinyh [@sawinyh] simplified the attack with this diagram. It suggests that the hacker deployed ta malicious jar in order to leech the funds from the genuine ones.
Pickle Finance started advising users to unstake their tokens and withdraw from the protocol.
“We’re encouraging all LPs to withdraw their funds from the Jars until the issues have been resolved.”
At the time of writing the last update on its twitter feed was twelve hours ago with withdrawal instructions, but no further information. The attack follows similar flash loan exploits for Origin Protocol’s OUSD and Harvest Finance.
What a Pickle
Pickle Finance’s model brought the four largest stablecoins USDT, DAI, USDC, and sUSD closer to their peg. Pickle used liquidity farms and ‘pVaults’, which were rebranded to ‘pJars’ or pickle jars.
Using an ethos of ‘Off-peg bad, on-peg good,’ Pickle incentivized users to sell stablecoins trading above their peg and buy ones that are below it.
When a stablecoin is above peg, the protocol distributes fewer PICKLE tokens to that pool and more to others. Yield farmers chasing the best returns react to the sell and buy pressure for the overvalued and undervalued stablecoins.
Triple digit yields proved irresistible to the degen farmers that flocked to the protocol since its mid-September launch. Although Pickle Finance claims it has had two independent audits it appears not to have made much of a difference.
Bitcoiner and Morgan Creek Digital co-founder, Anthony Pompliano, was quick to stick the knife in.
“Is anyone surprised at this point? Majority of these DeFi projects have no audits, no true governance, and aren’t decentralized. ICO 2.0 is underway.”
PICKLE Sliced by 50%
At the time of writing, the total value locked on the protocol was reported at $23 million according to the Pickle dApp.
No doubt this is a dwindling number, as is the price of PICKLE tokens at the moment which have dumped 50% since the attack occurred.
PICKLE traded at a little over $10 at the time of writing, dumping from $23 this time yesterday. Since its all-time high of over $80, this DeFi token has dumped 87% to current levels and the pain is not over yet.