Trusted

Pickle Finance Postmortem Details How $19 Million DAI was Pilfered

2 mins
Updated by Kyle Baird
Join our Trading Community on Telegram

In Brief

  • Pickle Finance attack was highly sophisticated.
  • As many as eight design flaws were exploited.
  • 19.7 million Dai were stolen from the protocol.
  • promo

A number of experts have attempted to break down the exploit that plagued the Pickle Finance decentralized finance protocol over the weekend, and have concluded that it was a highly complex attack.

Late Nov 21, the DeFi stablecoin yield farming protocol Pickle Finance lost almost $20 million through a flash loan attack on its Dai ‘pickle jar,’ or liquidity farm. As reported by BeInCrypto, the team behind the protocol asked ‘farmers’ to extract their collateral, leading to its native token price collapsing by over 50%.

As the digital dust settles, a number of DeFi researchers have delved deeper into the incursion to uncover exactly what happened.

Harvest Finance Hack

Breaking Down the Pickle Attack

Yearn Finance core developer ‘banteg’ [@bantg] worked in collaboration with the Pickle Finance team and a number of other white hats to reproduce the attack and publish the technical details.

The coder suggested there were several flaws in the system that allowed such a vulnerability to be exploited;

“Taking advantage of multiple flaws in the system, including issues with the Jar swap and Jar convert logic, the attacker was able to craft a sophisticated exploit to carry out the heist.”

The attack, which has been dubbed ‘Evil Jar,’ was able to be reverse-engineered as Pickle Jars are forked versions of v1 Yearn Vaults with modifications.

A Controller smart contract governs the jars and the latest version has a direct swap function. It was this feature that was exploited, enabling the attacker to craft an ‘Evil Jar’ contract making it possible to drain funds from the Controller.

Developer ‘vasa’ [@vasa_develop] created a graphical interpretation of the attack which he claimed has been one of the most intricate hacks in the ecosystem so far.

Vasa added that 19.7 million DAI were lost in the hack and about $50k DAI was rescued after reverse-engineering the attack.

Highly Sophisticated

Cornell computer scientist ‘orb_x_ball’ [@orbxball] also weighed in on the sophisticated attack;

“There are actually 8 flaws utilized in this exploit. YET, there’s one thing worth pointing out. This exploit only happens when these 8 flaws occur at the same time.”

It was also pointed out on another postmortem blog that the attacker had excellent knowledge of Solidity and EVM (Ethereum Virtual Machine), and had likely been paying close attention to the Yearn code for some time since Pickle jars originated from yVaults.

Pickle Finance had patched the exploited smart contract adding that jars were now safe from this particular attack vector.

At the time of press, PICKLE token prices were trading at $11.75, still down more than 50% since before the attack and liquidity had yet to return to the beleaguered protocol.

The attack comes less than a month after Harvest Finance was hit with a flash loan exploit.

🎄Best crypto platforms in Europe | December 2024
eToro eToro Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
3Commas 3Commas Explore
🎄Best crypto platforms in Europe | December 2024
eToro eToro Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
3Commas 3Commas Explore
🎄Best crypto platforms in Europe | December 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

profile.jpg
Martin Young
Martin Young is a seasoned cryptocurrency journalist and editor with over 7 years of experience covering the latest news and trends in the digital asset space. He is passionate about making complex blockchain, fintech, and macroeconomics concepts understandable for mainstream audiences.   Martin has been featured in top finance, technology, and crypto publications including BeInCrypto, CoinTelegraph, NewsBTC, FX Empire, and Asia Times. His articles provide an in-depth analysis of...
READ FULL BIO
Sponsored
Sponsored