This report aims to transparently outline the circumstances that led to the financial loss and to assure our users that we are committed to implementing immediate measures to recover stolen funds.
On April 26, 2024, 00:13:59 UTC, Pike Finance experienced a security breach due to the exploitation of a vulnerability within the Pike protocol. This resulted in a financial loss of 299,127 USDC incurred across 3 networks — Ethereum, Arbitrum, and Optimism.
Only the USDC asset was affected, all other assets are safe.
Details of vulnerability
The vulnerability is due to weak security measures in functions managing USDC transfers via CCTP protocol. Specifically, the critical flaw was in functions designed for burning USDC on a source chain and minting on a target chain (automated by Gelato's automation services).
Inadequate protection of this function allowed attackers to manipulate receiver's address and amounts, which were processed by Pike protocol as valid.
Disclaimer and Acknowledgment
It is important to clarify that this vulnerability was previously identified by our auditing partner, OtterSec. Our developer team was unable to address the identified vulnerability in a timely manner.
We acknowledge that this oversight led to the exploit and emphasize that the vulnerability is not due to inherent issues within the CCTP protocol or Gelato's automation services — instead, it was a consequence of the protocol team improper integration of the mentioned 3rd party technologies.
USDC Mint Automation
CCTP protocol implies USDC minting separately by utilizing attestations from Circle Iris — an off-chain service that monitors burn events on source chains and authorizes minting on target chains. To automate minting, integration with Gelato service was implemented.
It is crucial to note that neither CCTP nor Gelato are designed to verify the validity of receiver addresses or txs amounts. Responsibility for these checks lies solely on Pike as an integrator.
Incident timeline
On April 24, 2024, Pike protocol enabled and publicly announced the capability to withdraw USDC via CCTP. Two days later, April 26, 2024, 00:13:59 UTC, an attacker exploited the vulnerability, resulting in unauthorized withdrawal of 299,127 USDC.
On the same day of April 26, 2024, Pike team took action by halting all operations within Pike protocol, aiming to isolate and minimize losses and began investigation on the exploit with third parties.
Attacker
-
Initial Funding — Attacker's address was initially funded through Binance, followed by a series of transfers via Orbiter and Stargate bridges.
-
Asset Conversion — Stolen USDC funds were exchanged for ETH and subsequently withdrawn using Tornado.Cash.
Actions performed within first 90 minutes
-
Pike protocol was paused at smart contract level
-
Etherscan IDM was sent to attacker's address requesting cooperation
-
Consultations were held with our auditing partners to pin down the impact
-
Collaborations were established with legal and security experts
-
Communication was initiated with CCTP and Gelato integration partners to obtain logs and any additional data that could help to find out more about exploit and attacker
-
Data requests were made to Binance support and bridge services for further information
Current Status
As of today, no funds have been recovered yet. We were unable to establish contact with the attacker.
We are pursuing legal and law enforcement to assist with the full trace.
Next Steps
While an extremely costly lesson, we are committed to learning from this incident by taking corrective actions:
-
Disable USDC withdrawals via CCTP in the current version of Pike
-
Implement delayed withdrawals for all assets to further enhance security
-
Unpause protocol operations to allow users to manage their funds
These measures implies rolling back to Pike protocol version prior enabling CCTP feature, as well as introducing delayed withdrawals — as an additional security measure.
We will continue to work closely with our auditing partners to ensure that any code changes will enhance security of Pike protocol and safety of user funds.
Further updates on implementation timeline and proposals to recapitalize the loss will be communicated in upcoming days — stay tuned for announcements.