Hackers continue to target the Decentralized Finance market and multiple major DeFi protocols have already lost millions of dollars in funds. The latest to take a hit is Pickle Finance, a project that shifts investors’ money around different DeFi protocols to maximize returns, which has been exploited today, and one of its smart contracts lost $20 million in funds.
The team behind the project is currently investigating the case while the stolen funds lay “dormant” in the wallet of the attackers. Making matters worse, the hack resulted in the price of the protocol’s native token crash after news of the hack surfaced on the internet. The token lost over 58% in a few hours.
The attackers stole the funds from one of its smart contracts, which contained cDAI tokens issued by Compound when Pickle “deployed a new strategy” to maximize returns from DAI a decentralized stablecoin pegged to the US dollar.
However, the attack is quite different from the flash loan attack strategies which have been previously employed by hackers on several occasions to get away with millions in funds. In the case of Pickle Finance, the attackers used a malicious contract and used it to interact with the original contracts.
According to Emiliano Bonassi, the co-founder of DeFi Italia, the attacker created “bad jars,” —malicious contracts with a similar interface to the “good jars” as they are programmed differently. The attacker then exchanged funds between the “bad jar” and the real cDAI Jar, thus being able to get away with the $20 million.
Bonassi adds that he finds it quite curious that the hackers didn’t rely on flash loans, as the attack was quite complex as the strategy seems to be “well studied, and not easy.”
Hackers continue to plague DeFi
The attack on Pickle Finance comes days after the Origin Protocol, a stablecoin project, was reported to have suffered an attack. The attack took place via a flash base and also took advantage of bugs within the OUSD contract to initiate a rebase. This, in turn, was used to artificially increase the supply of the token within the ecosystem and the excess supply was traded on SushiSwap and Uniswap for USDT.
As a result of the attack, a reported $7 million was lost. Of the money lost, $1 million was deposited by employees and founders of Origin.2020 has seen several attacks of this sort. In February, DeFi lending protocol bZx suffered two flash loan attacks with $954,000 lost in total.