Pine Protocol Suffers $92,000 Security Breach

December 21, 2023

Summary #

Pine Protocol, a decentralized, non-custodial asset-backed lending platform, suffered a security breach on December 21, 2023, due to a vulnerability in its smart contract on the Ethereum Mainnet. This exploit resulted in a loss of approximately 40 ETH ($92,000), exploiting the protocol across multiple transactions. The attack was facilitated by a flaw related to shared pools between two different contracts within the platform.

Attackers #

The identity of the attacker is unknown.

Hacker Ethereum Wallet:

0x05324c970713450bA0Bc12EfD840034FCB0A4BAa

Losses #

The loss amounted to 40 ETH worth $92,000.

Timeline #

December 21, 2023, 04:10:47 PM UTC: The first malicious transaction occurred.
December 21, 2023, 07:07:23 PM UTC: The hacker sent an on-chain message stating their intention to keep half of the stolen funds as a bounty.
December 21, 2023, 07:27:23 PM UTC: The Pine Protocol team thanked the hacker for his willingness to return the funds, inviting further discussion to understand the exploit better.
December 21, 2023, 09:18:47 PM UTC: The Attacker withdrew 20 ETH to Tornado Cash.

Security Failure Causes #

Smart Contract Vulnerability: The vulnerability stemmed from shared pools between two versions of contracts within Pine Protocol. This issue arose from the most recent update to the protocol, where both old and new contract versions shared the same pool address, allowing the exploiter to manipulate fund transfers across different pools. The attacker exploited this by borrowing assets using NFT tokens as collateral and then using a flash loan from the old pool version to repay the initially borrowed assets.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam