TL;DR
- Pike Finance, a cross-chain lending protocol, was exploited for the second time in less than a week, leading to losses of over $1.6 million. The exploit was carried out on the Ethereum (ETH), Arbitrum (ARB), and Optimism (OP) blockchains.
- The attacker exploited a vulnerability in Pike Finance’s smart contracts, using the initialize function to insert malicious code. This allowed them to manipulate Pike Finance’s smart contract system and drain assets from the contract.
- In response to the breach, Pike Finance is offering a 20% bounty for information leading to the recovery of the stolen assets. They are also discussing a compensation plan for affected users and plan to announce it soon.
Pike Finance, a cross-chain lending protocol, has been exploited for the second time in less than a week, resulting in losses of over $1.6 million. The exploit was primarily carried out on the Ethereum (ETH), Arbitrum (ARB), and Optimism (OP) blockchains.
The exploit was first identified by blockchain security company Cyvers in the early hours of Wednesday. They noticed several abnormal transactions in Pike Finance’s cross-chain lending protocol. Further investigation revealed that these suspicious transactions had resulted in substantial financial losses of approximately $1.6 million.
The attacker exploited a vulnerability in Pike Finance’s smart contracts, using the initialize function to insert malicious code. This allowed them to manipulate Pike Finance’s smart contract system.
“The attacker was able to initialize Pike Finance’s contracts, during which the _isActive variable was set to the attacker’s address. The attacker then used this privilege to call the contract’s upgradeToAndCall function, changing the implementation to one they had created. The attacker was then able to drain assets from the contract,” a representative from the on-chain monitoring platform CertiK told news outlets.
The Impact of the Exploits on Pike Finance Users
Following the warning, Pike Finance issued a statement detailing the exploit and its impact on their official account. The protocol claimed losses of 99,970.48 ARB, 64,126 OP, and 479.39 ETH due to this incident.
According to the detailed breakdown provided by Pike Finance, the attacker upgraded the spoke contract under the previously compromised framework and exploited the misaligned storage mapping of the smart contract. This exploit follows a vulnerability related to USD Coin (USDC) withdrawals that occurred on April 26.
Pike Finance acknowledged this vulnerability, stating that the security measures for managing USDC transfers via the CCTP protocol were weak. This exploit resulted in a loss of 299,127 USDC, affecting the Ethereum, Arbitrum, and Optimism networks. However, Pike Finance assured that this incident only affected USDC assets, and all other assets remained safe.
In response to the breach, Pike Finance is offering a 20% bounty for information leading to the recovery of the stolen assets. They are also discussing a compensation plan for affected users and plan to announce it soon. The team at Pike Finance is further investigating this breach.
