Pike Finance exploited for $1.7 million in second incident

April 30, 2024

Summary #

On April 30, 2024, Pike Finance, a Cross-chain Bridge and a Lending Protocol for native assets, was exploited across the Ethereum, Optimism, and Arbitrum chains due to a smart contract vulnerability. $1.7 million worth of assets was siphoned out from the protocol. The smart contract storage misalignment issue was utilized, whith allowed the attacker to bypass owner permissions. Initially, the protocol was exploited four days before the incident, which led to a loss of nearly $300,000 and a temporary pause of operations. To resolve previous security issue, the protocol’s team upgraded the smart contract’s code, which created a new vulnerability related to smart contract’s storage. It is worth mentioning that there is no evidence that two attacks were performed by the same actor. Asset transfer methods are also differs - the first attacker used TornadoCash, while the second used Railgun.

Attackers #

The identity of the attacker remains unknown. The attacker utilized the same address across three chains:

0x19066f7431df29a0910d287c8822936bb7d89e23

Losses #

Pike Finance suffered a loss of approximately $1.7 million in native assets. Lost assets breakdown:

479.39 ETH worth 1,443,443 USD
64,126.66 OP worth 164,782 USD
99,970.48 ARB worth 99,463 USD

Timeline #

April 25, 2024, 11:48 PM UTC: The first attack begun on the Arbitrum chain.
April 26, 2024, 10:37 AM UTC: The initial attacker finished funds withdrawal using TornadoCash.
April 28, 2024: Pike Finance team posted an incident post-mortem.
April 30, 2024, 09:45 PM UTC: The second attack started on the Optimism chain.
April 30, 2024, 10:19 PM UTC: A malicious transaction occurred on the Ethereum chain with over $1.4 million worth of ETH.
April 30, 2024, 10:23 PM UTC: The attacker transferred the stolen funds via Railgun.
May 2, 2024: The Pike Finance team posted a detailed post-mortem regarding the second attack.

Security Failure Causes #

Smart Contract Vulnerability: The root cause of the exploit was a smart contract storage misalignment. In particular, the storage position of initialized variable was set to false after the protocol’s team upgraded smart contracts. This issue allowed attacker to reinitialize contracts by making himself a new admin and subsequently withdraw funds using privileged functions.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam