Buy Bitcoin here
  • Crypto
    • Bitcoin News
    • Ethereum
    • Altcoin
    • Blockchain
    • Blockchain Companies
    • Cryptocurrency Exchanges
    • DeFi
    • Regulation
    • Cointelegraph news
    • Press Release
    • ICO News
      • ICOs Review
      • Upcoming ICOs
      • Scam
  • Education
    • CryptoTicker Starter Kit
    • Blockchain For Dummies
    • Crypto entrepreneurs
    • Free Resources
    • Events
    • Events Review
  • Prices
  • Exchange Comparison
  • Newsletter subscribe

  • News

    • Bitcoin News
    • Altcoin
    • Regulation
    • Blockchain Companies
    • Blockchain
    • Cryptocurrency Exchanges
  • News

    • Ethereum
    • Events Review
    • ICO News
    • Press Release
  • Education

    • CryptoTicker Starter Kit
    • Education
    • Blockchain For Dummies
    • Crypto entrepreneurs
    • Free Resources
    • Events
  • Cryptoticker

    • About us
    • Advertise
    • Media Kit
    • Submit your Press Release
    • Contact
    • Membership Login
  • Social Media

    Facebook Twitter Telegram Youtube
    • Newsletter
  • Crypto
    • Bitcoin News
    • Ethereum
    • Altcoin
    • Blockchain
    • Blockchain Companies
    • Cryptocurrency Exchanges
    • DeFi
    • Regulation
    • Cointelegraph news
    • Press Release
    • ICO News
      • ICOs Review
      • Upcoming ICOs
      • Scam
  • Education
    • CryptoTicker Starter Kit
    • Blockchain For Dummies
    • Crypto entrepreneurs
    • Free Resources
    • Events
    • Events Review
  • Prices
  • Exchange Comparison
Starter Kit Membership Search
English
English Deutsch
Menu
Search


Blockchain DeFi Yield Farming

Pickle Finance Exploited For $20M In Most Complex Ever Code Execution

Posted On November 23, 2020 Taha Zafar 0

  • share 
  • share 
  • share 
  • tweet 
  • share 
  • share 

In the latest DeFi hack, stablecoin stabilizing protocol Pickle Finance was exploited on 21-11-2020 06:37 PM (UTC) for nearly $20M. It is notable because analysts are terming it as the most complex DeFi exploit ever, as pDAI jar was hacked with skill-full mastery. The system was gamed using multiple flaws, including Jar swap and Jar convert logic in an extremely sophisticated code execution.

https://twitter.com/picklefinance/status/1330242051468910596

Following the attack, users were advised to withdraw funds from Pickle Jars and wait for the next updates. The team has now confirmed that the attack has been reverse engineered and relevant system modules have been patched to defend against this attack vector, in the future.

https://twitter.com/picklefinance/status/1330576727341363201

Banteg Reveals Details Of The Attack

Yearn.Finance developer Banteg was one of the white hat hackers assisting the team with the investigation and fixed. He has since then posted a detailed explanation of the attack. It is every evident that the hacker (s) had a deep understanding of the smart contract logic and execution. The following information was taken from the Github entry.

  1. Deploy two Evil Jars
  2. Get the amount available to withdraw from StrategyCmpdDaiV2
  3. Invoke ControllerV4.swapExactJarForJar() passing the Evil Jars and the amount retrieved in the previous step.
  4. ControllerV4.swapExactJarForJar() doesn’t check the Jars and calls them, withdrawing from StrategyCmpDAIV2 using StrategyCmpDAIV2.withdrawForSwap() which ultimately usesStrategyCmpDAIV2.deleverageToMin(). This transfers 19M DAI to pDAI.
  5. Call pDAI.earn() 3 times. This invokes a Compound deposit via StrategyCmpDAIV2.deposit(), leading to the contract receiving cDAI. StrategyCmpdDAIV2 now has an equivalent of 19M in cDAI.
  6. Deploy 3 more evil contracts, the first one being the equivalent of FakeUnderlying in our replicated exploit and the other two Evil Jars.
  7. Invoke ControllerV4.swapExactJarForJar() passing the Evil Jars, no amount and a CurveProxyLogic as target with a crafted data which allowed an injection to call the equivalent FakeUnderlying.
  8. ControllerV4 delegate calls CurveProxyLogic.add_liquidity() passing StrategyCmpDAIV2 and a crafted signature which leads to withdrawal of cDAI and transferring them to ControllerV4.
  9. The funds (in cDAI) are now in the Controller, it calls the EvilJar.deposit() which transfer the funds to the attacker smart contract.
  10. The attacker smart contract redeems cDAI for DAI from Compound and transfers DAI to the attacker EOA.

Implications For DeFi Protocols Design And Security

DeFi protocols are generally famous for “move fast and break things” ethos. The developer teams in this space are known to experiment with code and deploy unaudited code without much protection. Lately, this has resulted in massive fund losses, no doubt largely borne by the users. Even if the code is audited even by multiple teams, there is no guarantee that it’s 100% secure.

DeFi teams need to apply a multi-disciplinary strategy, bringing together elements of finance, game theory, tokenomics, smart contract design and logic. They also need to make certain that going forward relevant safeguards are present to enforce limits and insurance has been acquired, in order to protect against such exploits.

  • share 
  • share 
  • share 
  • tweet 
  • share 
  • share 

It is super easy to buy Bitcoin. Just take a look at our exchange comparison!

 

 

Follow us on Social Media and subscribe to our free crypto newsletter!

@Telegram
@Instagram
@Twitter 
@TikTok
@Facebook

Diskutiere mit uns!

About Trading @CT Trader
About Crypto in general @CT Inside

This post may contain promotional links that help us fund the site. When you click on the links, we receive a commission - but the prices do not change for you! :)

Disclaimer: The authors of this website may have invested in crypto currencies themselves. They are not financial advisors and only express their opinions. Anyone considering investing in crypto currencies should be well informed about these high-risk assets.

Trading with financial products, especially with CFDs involves a high level of risk and is therefore not suitable for security-conscious investors. CFDs are complex instruments and carry a high risk of losing money quickly through leverage. Be aware that most private Investors lose money, if they decide to trade CFDs. Any type of trading and speculation in financial products that can produce an unusually high return is also associated with increased risk to lose money. Note that past gains are no guarantee of positive results in the future. 

#code exploit#DeFi hack#pickle finance


More from Blockchain

Ethereum Nears ATH As CME Futures Approach, Here’s What Follows!
Posted On January 20, 2021 Taha Zafar 0

In a long awaited event, Ethereum is finally nearing it's previous all time high (ATH) figure of $1448 (CoinGecko data) …

What Is DeFi? – A Beginner’s Guide To 5 Core DeFi Protocols
Posted On January 19, 2021 Taha Zafar 0

Decentralized Finance (DeFi) protocols have come a long way from a few scattered vaguely known projects to multi-billion giants. …

Biden to Nominate Ex-MIT Blockchain Professor, Gary Gensler as Chairman of SEC
Posted On January 18, 2021 Santiago Burelli 0

As Trump finally concedes to Biden’s presidential win, Biden begins to enact his policies and nominate the future leaders of …

In order to support and motivate the CryptoTicker team, especially in times of Corona, to continue to deliver good content, we would like to ask you to donate a small amount. Independent journalism can only survive if we stick together as a society. Thank you


  • Top Broker

    Bybit
    bybit
    Review · Visit
    Plus500
    Plus500
    Review · Visit

    Top Exchanges

    Kraken
    Kraken
    Review
    Coinbase
    Coinbase
    Review · Visit
  • Newsletter subscription




  • News

    • Bitcoin News
    • Altcoin
    • Regulation
    • Blockchain Companies
    • Blockchain
    • Cryptocurrency Exchanges
  • News

    • Ethereum
    • Events Review
    • ICO News
    • Press Release
  • Education

    • CryptoTicker Starter Kit
    • Education
    • Blockchain For Dummies
    • Crypto entrepreneurs
    • Free Resources
    • Events
  • Cryptoticker

    • About us
    • Advertise
    • Media Kit
    • Submit your Press Release
    • Contact
    • Membership Login
  • Social Media












    Newsletter


  • Imprint
  • Privacy Policy
  • Non-liability Disclaimer
©2021 CryptoTicker

Share

Share stories you like to your friends