0
0
Pike Finance Update on Recent Exploit
On May 1, DeFi protocol Pike Finance provided new information regarding a recent exploit and clarified that it was not due to a USDC vulnerability, as previously stated. According to the latest statement from the company, they acknowledged that the term “USDC vulnerability” was inaccurate in summarizing the exploit that took place the previous week.
Instead, the exploit was a result of weaknesses in Pike’s contract functions, specifically issues related to the handling of transfers on Circle’s Cross-Chain Transfer Protocol (CCTP). This allowed the incident to occur. Pike Finance highlighted that the root cause of the exploit was not related to the functionality and robustness of Circle’s USDC enabled by CCTP or Gelato, which is a smart contract automation protocol.
Initially, Pike Finance took full responsibility for the first attack that occurred on April 26. They admitted that the exploit was a consequence of improper integration of third-party technologies by the protocol team. Pike mentioned that certain checks were solely the responsibility of Pike as the integrator.
However, in retrospect, when referring to the first attack following the April 30 incident, Pike Finance mistakenly suggested a connection to a “USDC vulnerability.” Both attacks resulted in significant losses for Pike Finance.
Losses Incurred
The April 30 attack led to the theft of 99,970.48 ARB, 64,126 OP, and 479.39 ETH, resulting in a loss of $1.7 million according to Certik data. The earlier April 26 attack involved the loss of 299,127 USDC across Ethereum, Arbitrum, and Optimism platforms, as per Pike Finance statements.
Cause of the Attacks
The first attack on April 26 was a result of vulnerabilities in the functions related to USDC transfers on CCTP automated by Gelato. This vulnerability allowed attackers to manipulate receiver addresses and amounts in a way that Pike Finance validated as legitimate due to improper integration of the features. Pike Finance mentioned that their auditing partner, OtterSec, alerted them to the issue but they were unable to address it before the attack.
The second attack occurred after Pike Finance updated its spoke contracts to pause the network. The update caused the contract to behave as if it were uninitialized, which allowed attackers to upgrade the contract, bypass admin access, and withdraw funds.
Despite Pike Finance being one of several DeFi projects affected by exploits, reports from April indicated reduced losses from scams and exploits within the decentralized finance sector.
Image/Photo credit: source url
