This report aims to transparently outline the circumstances that led to the financial loss and to assure our users that we are committed to implementing immediate measures to recover stolen funds.
On April 30th, Pike Finance experienced a second significant security breach due to the exploitation of a vulnerability related to a recent contract upgrade. This incident resulted in a substantial financial loss of 99,970.48 ARB, 64,126 OP, and 479.39 ETH.
Details of Vulnerability
The vulnerability stemmed from an oversight during the upgrade of the spokes contract, which was part of the measures taken to address the initial USDC vulnerability reported on April 26th.
The upgrade had altered the storage layout of the Spoke contract, particularly affecting the position of initialized variables. This misalignment in storage mapping caused the contract to behave as if it was uninitialized. As a result, attackers were able to bypass and execute unauthorized upgrades and withdrawals.
Disclaimer and Acknowledgment
We acknowledge that this oversight occurred during the process of trying to secure the protocol from the first exploit. It is crucial to note that the vulnerability was not due to inherent issues within the Pike protocol itself but was a consequence of a hastily completed contract upgrade.
Incident Timeline
-
2024-04-26: Initial USDC vulnerability exploited.
-
2024-04-26 to 2024-04-30: Efforts to pause and upgrade protocol functions to enhance security.
-
2024-04-30 21:47: Attackers exploited the contract upgrade vulnerability, leading to unauthorized withdrawals.
Attacker
-
Hacker Wallet: 0x19066f7431df29A0910d287C8822936Bb7D89E23
-
Asset Conversion: The stolen assets were quickly moved and diversified across different cryptocurrencies.
Current Status
As of today, no funds have been recovered, and no direct contact with attackers has been established. The investigation is ongoing, and we are working closely with external experts to trace the stolen assets.
Planned Next Steps
In response to this incident, we are taking corrective actions by a continued and constant collaboration with security experts and auditors to ensure the integrity of our platform.
We are committed to learning from these incidents and strengthening our systems to protect our users' assets.
We will be publishing a report of all the users on Pike with their outstanding balances, with restitution to be made in the next week or so.
Further updates on our progress will be communicated in the coming days, so please keep an eye out on our Twitter.
We appreciate the patience and support of our community as we work through these challenges.