The hacker behind the Penpie protocol breach has reportedly withdrawn approximately $7 million of the stolen funds through the crypto mixer Tornado Cash just 12 hours after stealing $27 million.
????ALERT????@Penpiexyz_io exploiter has deposited around $7M to @TornadoCash at https://t.co/f17YcJ6blH
Want to keep your company off our alerts radar? Learn how to secure your assets: Book a Demo ???? https://t.co/uUbFkFTp4h#CyversAlert https://t.co/zFX85sK9A9 pic.twitter.com/J20g3HS2T0
— ???? Cyvers Alerts ???? (@CyversAlerts) September 4, 2024
On September 4, cybersecurity firm Cyvers reported that the hacker had transferred 26% of the stolen funds to a wallet address linked to Tornado Cash. Blockchain security firm PeckShield has also confirmed this and stated that the hacker’s address continues to launder the remaining funds through multiple transactions directed to the crypto mixer.
Notably, Cyver alerts had earlier raised alarms about suspicious activity on the protocol’s smart contracts. The activity was linked to a waller address to Tornado Cash.
????ALERT????@Penpiexyz_io exploiter has deposited around $7M to @TornadoCash at https://t.co/f17YcJ6blH
Want to keep your company off our alerts radar? Learn how to secure your assets: Book a Demo ???? https://t.co/uUbFkFTp4h#CyversAlert https://t.co/zFX85sK9A9 pic.twitter.com/J20g3HS2T0
— ???? Cyvers Alerts ???? (@CyversAlerts) September 4, 2024
Meanwhile, the development team of Pendle, the platform on which the Penpie protocol is built, has released a post-mortem report on the hack. The team stated that the attacker exploited a vulnerability related to Penpie’s feature, which allows permissionless listing of Pendle markets, to steal the funds. They reported that their in-house monitoring system detected suspicious activity, prompting them to immediately suspend all deposits and withdrawals and pause the platform’s smart contracts. According to the report, this action helped prevent approximately $105 million of assets from being stolen from the protocol.
Pendle’s developers confirmed that the vulnerability was specific to Penpie and that Pendle’s contracts were secure. They noted that after rigorous checks and coordination with relevant parties, they have safely unpaused the platform’s smart contracts and resumed normal operations as of 05:00 UTC, September 4, 2024, about 12 hours after the incident.
According to the Pendle team, this immediate response prevented an additional loss of $105 million worth of assets from the DeFi protocol. The team noted that it had enlisted the help of security experts, Seal 911, to prevent further attacks.
RELATED: WazirX Suspends Withdrawals Following $230 Million Multisig Wallet Breach
This incident adds to a rapidly growing list of hacks and exploits DeFi protocols have suffered since the start of the year. An August 2024 report from ImmuniFi revealed that over $1.2 billion in funds had been stolen through hacks and exploits in 2024, marking a 15.5% increase compared to the same period in 2023, when losses totalled just over $1 billion.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
