Pike Finance exploited for $1.7 million in second incident

Summary

On April 30, 2024, Pike Finance, a Cross-chain Bridge and a Lending Protocol for native assets, was exploited across the Ethereum, Optimism, and Arbitrum chains due to a smart contract vulnerability. $1.7 million worth of assets was siphoned out from the protocol. The smart contract storage misalignment issue was utilized, whith allowed the attacker to bypass owner permissions. Initially, the protocol was exploited four days before the incident, which led to a loss of nearly $300,000 and a temporary pause of operations. To resolve previous security issue, the protocol’s team upgraded the smart contract’s code, which created a new vulnerability related to smart contract’s storage. It is worth mentioning that there is no evidence that two attacks were performed by the same actor. Asset transfer methods are also differs - the first attacker used TornadoCash, while the second used Railgun.

Attackers

The identity of the attacker remains unknown. The attacker utilized the same address across three chains:

Losses

Pike Finance suffered a loss of approximately $1.7 million in native assets. Lost assets breakdown:

  • 479.39 ETH worth 1,443,443 USD
  • 64,126.66 OP worth 164,782 USD
  • 99,970.48 ARB worth 99,463 USD

Timeline

Security Failure Causes

Smart Contract Vulnerability: The root cause of the exploit was a smart contract storage misalignment. In particular, the storage position of initialized variable was set to false after the protocol’s team upgraded smart contracts. This issue allowed attacker to reinitialize contracts by making himself a new admin and subsequently withdraw funds using privileged functions.