Pine Protocol Suffers $92,000 Security Breach

Summary

Pine Protocol, a decentralized, non-custodial asset-backed lending platform, suffered a security breach on December 21, 2023, due to a vulnerability in its smart contract on the Ethereum Mainnet. This exploit resulted in a loss of approximately 40 ETH ($92,000), exploiting the protocol across multiple transactions. The attack was facilitated by a flaw related to shared pools between two different contracts within the platform.

Attackers

The identity of the attacker is unknown.

Hacker Ethereum Wallet:

• 0x05324c970713450bA0Bc12EfD840034FCB0A4BAa

Losses

The loss amounted to 40 ETH worth $92,000.

Timeline

• December 21, 2023, 04:10:47 PM UTC: The first malicious transaction occurred.
• December 21, 2023, 07:07:23 PM UTC: The hacker sent an on-chain message stating their intention to keep half of the stolen funds as a bounty.
• December 21, 2023, 07:27:23 PM UTC: The Pine Protocol team thanked the hacker for his willingness to return the funds, inviting further discussion to understand the exploit better.
• December 21, 2023, 09:18:47 PM UTC: The Attacker withdrew 20 ETH to Tornado Cash.

Security Failure Causes

• Smart Contract Vulnerability: The vulnerability stemmed from shared pools between two versions of contracts within Pine Protocol. This issue arose from the most recent update to the protocol, where both old and new contract versions shared the same pool address, allowing the exploiter to manipulate fund transfers across different pools. The attacker exploited this by borrowing assets using NFT tokens as collateral and then using a flash loan from the old pool version to repay the initially borrowed assets.