According to BlockBeats, on September 5, Penpie released a report on a hacker attack, in which a total of 11,113.6 ETH were stolen, worth about $27.34 million. The attacker exploited a security vulnerability on the Penpie platform, which was located in the batchHarvestMarketRewards() function of the PendleStakingBaseUpg contract. The attacker repeatedly added new deposits from flash loans by reentering the depositMarket() function, which allowed the attacker to manipulate the reward tokens and the amount sent to the fake Pendle market depositor (the attacker himself).
The Penpie team has urgently suspended deposit and withdrawal functions and is working with multiple security agencies to track the stolen funds. Currently, the Penpie front end has been restored and the team is working with law enforcement agencies to identify and arrest the attackers. In addition, the Penpie team will initiate a governance vote to determine the compensation plan.
