Second Exploit in 3 Days: Pike Finance Loses $1.6M

Key takeaways:

• Pike Finance was breached, leading to the loss of digital assets valued at $1.68 million.
• For the return of the funds or information that helps recover the funds, Pike Finance is offering a 20% incentive.

Pike Finance was breached, leading to the loss of digital assets valued at $1.68 million. This is the second protocol to be exploited in three days, according to the incident.

On April 30, a $1.68 million vulnerability affecting the Ethereum, Arbitrum, and Optimism chains affected the Decentralized Finance (DeFi) lending protocol Pike Finance, according to a study by on-chain analytics company CertiK.

According to CertiK, the attacker emptied the contract of over $1.4 million worth of Ether, $150,000 worth of Optimism (OP) tokens, and over $100,000 worth of Arbitrum (ARB) tokens by changing the output address of Pike Finance’s smart contract. On April 26, Pike was the victim of a $300,000 scam as well.

According to a May 1 X post by Pike Finance, the two assaults were caused by the same smart contract vulnerability that gave the attacker the opportunity to override the contract:

“This misalignment caused the contract to behave as if it was uninitialized since the *initialized* variable could no longer be accessed. As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and as a result, withdraw funds.”

For the return of the funds or information that helps recover the funds, Pike Finance is offering a 20% incentive. The exploit will be looked into further by the protocol.

After a few hours of the first X post, Pike Finance made another post mentioning that the exploit occurred due to “weak security” measures in their contract functions when handling CCTP transfers. 

Dear Community,

We would like to clarify some of the language used in our announcement.

The term “USDC vulnerability” was inaccurate for summarizing last week's exploit. The exploit was caused by weak security measures in Pike's contract functions when handling CCTP transfers. https://t.co/PrY73GO6kh

— Pike (@PikeFinance) May 1, 2024

Recently, Yield Protocol, the defunct decentralized finance (DeFi) lending network, took yet another hit in April 2024 when hackers took advantage of a flaw in its smart contracts. 

This is despite the platform ceasing operations in December 2023 due to regulatory pressures and a lack of demand. The hack, which was directed at Yield’s contracts on the Arbitrum blockchain, caused the crypto assets to be stolen for about $181,000 in total.