Bitcoin News, Crypto News
Two Auditors Overlook $27M Vulnerability in Penpie and Pythia’s ‘Claim Rewards’ Bug: Crypto-Sec Reports
Sep
Recent Security Incidents in Decentralized Finance
Pythia Finance Suffers from Reentrancy Attack
The decentralized finance platform Pythia Finance recently experienced a significant security breach, resulting in the loss of $53,000 on September 3. This incident was documented by a reputable blockchain security firm, Quill Audits. Pythia is an algorithmic stablecoin initiative that leverages artificial intelligence to oversee its financial treasury.
The exploit occurred when the attacker repeatedly invoked the “claim rewards” function without allowing the system to update the reward balance after each invocation. This repeated action enabled the attacker to accumulate more rewards than they should have received.
As outlined in the report, the attacker exploited a coding flaw whereby the “safe transfer” function was called during reward distribution. This vulnerability allowed a malicious token contract to recursively call back to Pythia, initiating a series of function calls that resulted in the depletion of the protocol’s funds.
According to the partial audit from Quill Audits, Pythia had no unresolved security vulnerabilities before the incident, suggesting that the development team may have already implemented measures to mitigate further exploits.
Reentrancy attacks, a common form of smart contract exploit, occur when a contract can be called multiple times before its previous execution is completed, allowing for unexpected behaviors.
Zyxel Reveals Critical Vulnerabilities in Networking Devices
On September 4, networking equipment manufacturer Zyxel announced significant vulnerabilities in certain models, which could allow attackers to execute malicious code on users’ routers and access points. This security flaw poses a serious threat, potentially granting unauthorized access to users’ devices.
The issue stems from the improper handling of special characters in the ‘host’ parameter used within the CGI programming of various firmware versions. Consequently, an unauthenticated attacker could execute operating system commands by delivering a specifically crafted cookie to the compromised device.
Users of cryptocurrency wallets must remain vigilant regarding potential threats to their home networks. An intruder with access to a home network can conduct DNS spoofing, intercept unencrypted data, or even decrypt encrypted communications using deep packet inspection techniques. The information obtained may facilitate social engineering scams to manipulate users into approving transactions or sharing sensitive credentials.
Zyxel has released a list of affected devices, which includes the NWA50AX PRO, NWA90AX, and WAC500 models, along with the USG LITE 60AX router. The company has urged users to promptly update their firmware to address these critical vulnerabilities.
Penpie Exploit Leads to Creation of Fake Pendle Market
The recent $27 million exploit involving Penpie was facilitated by a software flaw that enabled any user to establish a Pendle market. A report from security firm Zokyo highlighted that a prior version of the protocol had been audited and did not possess this vulnerability at the time.
The Penpie protocol includes a function termed “registerPenpiePool,” which facilitates the registration of new pool addresses and Pendle Markets. Despite the initial safeguards, any user could manipulate the system by utilizing the createNewMarket function in the factory contract, allowing them to create and register a Pendle Market.
The attacker leveraged this flaw to set up a fraudulent Pendle Market and pool, which were engineered to distribute valuable Pendle tokens as rewards.
Moreover, the Penpie protocol was also subject to a reentrancy vulnerability, permitting the attacker to deposit tokens repeatedly before the balances were updated. This action allowed for an artificial inflation of rewards, leading to the withdrawal of funds and ultimately draining over $27 million from the protocol.
Following the incident, the Penpie team disclosed that the permissionless pool registration feature was introduced after earlier audits were conducted. Although a new audit was performed, it only covered new contracts and did not include interactions between previously audited contracts, allowing for this exploit to go unnoticed. In response to these events, Penpie has committed to conducting regular audits to prevent future vulnerabilities.
About the Author
Christopher Roark is known for his expertise in identifying and addressing security vulnerabilities in the decentralized finance space. With an unwavering commitment to combating scams and online threats, he possesses a unique perspective on the evolving landscape of cybersecurity.