Trusted

Pike Finance Exploited Twice in Three Days, Over $1.6 Million Lost

2 mins
Updated by Harsh Notariya
Join our Trading Community on Telegram

In Brief

  • Pike Finance smart contract vulnerability leads to $1.6 million loss.
  • The exploit follows a previous USDC-related incident on April 26.
  • Pike team offers reward, plans compensation for affected users.
  • promo

On early Wednesday morning, blockchain security firm Cyvers identified several anomalous transactions on the cross-chain lending protocol of Pike Finance. Cyvers further revealed that this suspicious transaction resulted in a substantial financial loss of approximately $1.6 million.

The illicit activity was primarily conducted across Ethereum (ETH), Arbitrum (ARB), and Optimism (OP) blockchains. The intruder leveraged a privacy-focused tool, Railgun, on Arbitrum for their cyberattack.

Pike Finance Suffered Exploitations Twice in Three Days

On-chain surveillance platform CertiK quickly traced the attack’s origins to April 30. It reveals that the attacker used a method to insert a malicious code by invoking the initialize function, which manipulated Pike Finance’s smart contract system.

“[The] attacker was able to initialize Pike Finance’s contract, during which the _isActive variable is set to the attacker’s address. The attacker could then use this privilege to call the contracts upgradeToAndCall function and change the implementation to one that they had created. They were then able to drain the contract’s assets,” CertiK’s representative told BeInCrypto.

Read more: Top 5 Flaws in Crypto Security and How To Avoid Them

Suspicious Transactions in Pike Finance.
Suspicious Transactions in Pike Finance. Source: Cyvers

Following the alerts, Pike Finance finally issued a statement detailing the exploit and its repercussions over its official X account. The protocol claimed a loss of 99,970.48 ARB, 64,126 OP, and 479.39 ETH from this incident.

According to the detailed breakdown provided by Pike Finance, the attacker upgraded the spoke contracts under a previously compromised framework. They then exploited the smart contract’s misaligned storage mapping.

“As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and withdraw funds,” the Pike Finance team wrote.

Pike Finance also highlighted its commitment to investigating the breach further. Additionally, it offers a 20% reward for any information leading to recovering the stolen assets. It will also discuss and announce plans to compensate affected users.

The recent exploit has a connection to a vulnerability in its USD Coin (USDC) withdrawal on April 26. Pike Finance acknowledged that the vulnerability is “due to weak security measures in functions managing USDC transfers via CCTP protocol. A critical flaw was found in the functions meant for burning USDC on a source chain and minting on a target chain, which was automated by Gelato’s services.

Read more: Top 10 Must Have Cryptocurrency Security Tips

“Inadequate protection of this function allowed attackers to manipulate receiver’s address and amounts, which were processed by Pike protocol as valid,” Pike Finance stated in a post-mortem post.

The exploitation saw the loss of 299,127 USDC, affecting three networks — Ethereum, Arbitrum, and Optimism. However, Pike Finance claimed that the incident only affected USDC assets, and all other assets are safe.

Top crypto projects in the US | October 2024
Exodus Exodus Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | October 2024
Exodus Exodus Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | October 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Lynn-Wang.png
Lynn Wang
Lynn Wang is a seasoned journalist at BeInCrypto, covering a wide range of topics, including tokenized real-world assets (RWA), tokenization, artificial intelligence (AI), regulatory enforcement, and investments in the crypto industry. Previously, she led a team of content creators and journalists for BeInCrypto Indonesia, focusing on the adoption of cryptocurrencies and blockchain technology in the region, as well as regulatory developments. Prior to that, at Value Magazine, she covered...
READ FULL BIO
Sponsored
Sponsored