Rob Behnke
May 2nd, 2024
In April 2024, Pike Finance suffered a series of two hacks exploiting vulnerabilities related to the project’s smart contracts. The attackers stole $300,000 and about $1.6 million for a total of approximately $1.9 million.
The first Pike Protocol Beta hack occurred on April 26, 2024, and targeted the protocol’s USDC pool. The root issue was how the protocol managed transfers via the Cross-Chain Transfer Protocol (CCTP). CCTP was designed by Circle to enable USDC to be easily transferred across blockchains by minting and burning them rather than using a bridged version of the token.
While the Pike Protocol used Gelato to automate this process, the responsibility for validating the receiver addresses and transaction amounts lay with Pike. This functionality contained an error, which allowed the attacker to manipulate the target address and the amount of USDC tokens being transferred. The Pike protocol then accepted the manipulated version as valid, allowing the attacker to steal about $3000 in USDC from the protocol.
In response to the initial hack, the Pike spoke contracts were updated. This included introducing new dependencies into the code, which affected how the contract’s storage was laid out. One effect of this remapping was that the “initialized” variable was no longer accessible to the contract, causing it to believe that it had not been initialized.
The attackers exploited this fact to upgrade the spoke contracts with a malicious version. By doing so, they gained administrator access to them and were able to access the funds deposited into them. This allowed the attacker to carry out the second, $1.6 million theft from the Pike protocol.
The Pike Finance hacks were made possible by a few different security errors. The first was a failure to perform proper validation when accepting data and transfers from an external source. While Pike integrated with CCTP and Gelato for USDC transfers, it was responsible for making sure that those transfers were valid.
The second Pike hack was made possible by a failure to completely test and audit new code before launch. When the project updated its smart contracts, it broke its memory mapping, allowing the attacker to perform the malicious update. This type of issue could have been identified and avoided by performing a comprehensive smart contract audit and deployment testing before deploying to the blockchain.
Securing DeFi contracts requires considering the entire ecosystem and testing contracts before deployment. For help with protecting your DeFi contracts, get in touch with Halborn.