- Blockbasis
- Posts
- Pike Finance: Inside the $1.9 Million Security Breach
Pike Finance: Inside the $1.9 Million Security Breach
Pike Finance swims in turbulent waters, storage vulnerability nets hackers over $1.9 million in multiple attacks.
Blockbasis
May 03, 2024
TL;DR
In the tumultuous seas of finance, even the most sophisticated vessels can find themselves vulnerable to attack. Pike Finance recently found itself in such treacherous waters, as storage vulnerabilities led hackers to net over $1.9 million in multiple attacks.
Make Sure This Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Chain Aegis, a vigilant guardian of blockchain security, caught wind of the latest exploit on April 30. This breach resulted in a staggering loss of over $1.6 million in ARB, OP, and ETH. Pike Finance swiftly confirmed the incident, marking yet another blow to its integrity.
This unfortunate event followed closely on the heels of a prior exploit related to a vulnerability in USDC, reported just days earlier. While Pike Finance acknowledged the initial breach, it appears that their response was insufficient to shore up the protocol's defenses.
Attention Pike Users:
It has come to our attention that the USDC pool on Pike Beta has been exploited by a hacker on 2024-04-26 00:13:59 (UTC). The total amount of USDC exploited is 299,127.
The root cause is led by forged CCTP message to drain USDC on Ethereum, Arbitrum and… x.com/i/web/status/1…
— Pike (@PikeFinance)
10:38 PM • Apr 26, 2024
Regrettably, the actions taken by Pike Finance post-exploit left the protocol wide open to further attacks, a critical oversight that proved costly. It's a classic case of "fool me once, shame on you; fool me twice, shame on me."
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
Pike Finance found itself played for a fool, falling victim not once but twice to exploits that allowed attackers to seize control and siphon funds from the protocol. As a universal liquidity market facilitating lending and borrowing using native assets directly on their respective blockchains, Pike Finance had prided itself on its security measures. However, these recent events have raised significant doubts about the platform's resilience.
According to Pike Finance, the initial exploit on April 26 stemmed from weak security measures in the platform's contract functions when handling CCTP transfers. During attempts to pause the protocol, an added dependency in the code altered the storage layout, leading to contract misbehavior. Seizing this opportunity, attackers upgraded spoke contracts without admin access, successfully siphoning off funds.
Dear Community,
We would like to clarify some of the language used in our announcement.
The term “USDC vulnerability” was inaccurate for summarizing last week's exploit. The exploit was caused by weak security measures in Pike's contract functions when handling CCTP transfers.
— Pike (@PikeFinance)
4:30 PM • May 1, 2024
What's more, the attacker also targeted Arbitrum and Optimism in addition to Ethereum, exploiting the same smart contract vulnerability across multiple networks. Quill Audits detailed the intricate process by which the attacker manipulated contract functions, highlighting the sophisticated nature of the attack.
April 26 Attack on Arbitrum
Target Contract: 0x7856493B59cdb1685757A6DcCe12425F6a6666a0
Attack Transaction:
0x979ad9b7f5331ea8034305a83b5cd50aea88adec395fff8298dd90eb1b87667f
April 30 Attack on Multiple Networks
Attack contract: 0x1da4bc596bfb1087f2f7999b0340fcba03c47fbd
Target contract: 0xfc7599cffea9de127a9f9c748ccb451a34d2f063
Attack Transaction on Optimism: 0x19066f7431df29a0910d287c8822936bb7d89e23
Attack Transaction on Arbitrum Transaction: 0x19066f7431df29A0910d287C8822936Bb7D89E23
Attack Transaction on Ethereum:
0xe2912b8bf34d561983f2ae95f34e33ecc7792a2905a3e317fcc98052bce66431
Despite the severity of these breaches, Pike Finance's response has been less than reassuring. The absence of public audits and bug bounty programs raises serious concerns about the platform's commitment to security. Furthermore, Pike's delayed updates and vague promises of a "report and plan" do little to inspire confidence among investors, particularly those who participated in the $6.45 million token presale.
ic case of "fool me once, shame on you; fool me twice, shame on me."
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
As Pike Finance struggles to regain its footing amidst these security woes, investors and users are left wondering whether the platform can weather the storm or if it's destined to sink beneath the waves of mistrust. In an industry where security is paramount, Pike Finance's cavalier attitude towards safeguarding its protocol raises red flags.
Will Pike Finance emerge from these turbulent waters stronger and more resilient, or will it serve as yet another cautionary tale of the dangers of neglecting security in the world of decentralized finance? Only time will tell.