- Preliminary Information
- Root Cause
- Attack Analysis
On September 4, 2024, the decentralized liquidity yield project Penpie was attacked, resulting in nearly $30 million in losses. The SlowMist security team conducted an analysis of this incident.
Preliminary Information
Pendle Finance is a decentralized finance (DeFi) yield trading protocol with a total value locked (TVL) of over $4.5 billion. The protocol successfully integrates with Magpie to optimize yield opportunities and enhance its veTokenomics model. Building on this, Penpie introduces a liquidity mining feature, allowing Pendle Finance markets to generate passive income.
Some important concepts in Pendle Finance:
- **PT (Principal Token)**: Represents the principal amount at a future date. Holding a PT signifies ownership of the principal, which can be redeemed at maturity; for example, owning a 1-year PT-stETH option allows you to exchange it for 1 ETH worth of stETH after one year. - **YT (Yield Token)**: Represents future yield. Holding a YT entitles you to all real-time earnings generated by the underlying asset, which can be manually claimed on Pendle at any time. For example, if you hold 1 YT-stETH and the average yield rate of stETH is 5%, you will accumulate 0.05 stETH by the end of the year. - **SY (Simple Yield)**: A contract used to wrap any yield-bearing token. It provides a standardized interface to interact with any yield-generating mechanism of the token. - **LPT (Liquidity Provider Token)**: Represents a liquidity market and serves as a certificate for providing liquidity of the underlying asset. - **PRT (Pool Reward Token)**: Represents a deposit certificate for users who deposit LPT tokens into the Penpie pool.
Root Cause
The core issue of this incident lies in Penpie’s erroneous assumption that all markets created by Pendle Finance are legitimate when registering new Pendle markets. However, Pendle Finance’s market creation process is open, allowing anyone to create a market with customizable key parameters such as the SY contract address. Exploiting this, the attacker created a market contract with a malicious SY contract. They leveraged Penpie’s mechanism, which required calls to external SY contracts to claim rewards, and used flash loans to inject a large amount of liquidity into the market and pool, artificially inflating the rewards and profiting from it.
Attack Analysis
### Preparation Transaction Hash: 0x7e7f9548f301d3dd863eac94e6190cb742ab6aa9d7730549ff743bf84cbd21d1
1. The attacker first created PT and YT yield contracts through the `createYieldContract` function of the `PendleYieldContractFactory` contract, setting the SY to the address of the malicious contract. Using this, they called the `createNewMarket` function of the `PendleMarketFactoryV3` contract to create the corresponding market contract (0x5b6c_PENDLE-LPT).
2. Next, the attacker registered the Penpie pool using the `registerPenpiePool` function of the `PendleMarketRegisterHelper` contract. This process created the PRT token contract and associated rewarder contract, and registered the pool information within Penpie.
3. The attacker then minted a large amount of YT and PT tokens by calling the `mintPY` function of the YT contract, with the amount depending on the exchange rate returned by the malicious SY contract.
4. The attacker deposited PT into the market 0x5b6c_PENDLE-LPT and minted LP tokens.
5. Finally, the attacker deposited the LP tokens into the Penpie pool in exchange for PRT deposit tokens.
### Execution of the Attack Transaction Hash: 0x42b2ec27c732100dd9037c76da415e10329ea41598de453bb0c0c9ea7ce0d8e5
1. The attacker began by borrowing a large amount of agETH and rswETH tokens through flash loans.
2. They then called the `batchHarvestMarketRewards` function of the Penpie pool to collect rewards for the specified market in bulk, triggering the `redeemRewards` function of the market contract 0x5b6c_PENDLE-LPT.
3. The `redeemRewards` function is externally called the `claimRewards` function of the SY contract (the malicious contract). During this period, the attacker used flash loan funds to increase liquidity for the reward tokens (the malicious contract deliberately set the reward tokens to two market tokens: 0x6010_PENDLE-LPT and 0x038c_PENDLE-LPT) and deposited the obtained market tokens into the Penpie pool to receive corresponding deposit certificate tokens.
4. These newly deposited market tokens in the Penpie pool were calculated as rewards, which were then transferred to the reward contract using the `queueNewRewards` function of the Rewarder contract.
Since the attacker was the only depositor in the 0x5b6c_PENDLE-LPT market, they could immediately call the `multiclaim` function of the MasterPenpie contract to withdraw these LPT tokens from the Rewarder contract.
5. Finally, the attacker used the `withdrawMarket` function of the `PendleMarketDepositHelper` contract to burn the PRT deposit tokens obtained in step three, redeem the market tokens, and remove the liquidity along with the rewards obtained in the previous step, ultimately obtaining the base asset tokens (agETH and rswETH) and profiting.
This security incident exposed a lack of validation in Penpie’s market registration process, overly relying on Pendle Finance’s market creation logic, allowing the attacker to manipulate the reward distribution mechanism through malicious contracts to obtain excess rewards. The SlowMist security team recommends that project teams implement stricter whitelist verification mechanisms during market registration to ensure only verified markets are accepted. Additionally, critical logic involving external contract calls should undergo enhanced audits and security testing to prevent similar incidents in the future.
