Rob Behnke
August 13th, 2021
In August 2021, the Punk Protocol DeFi project was the victim of a hack. A vulnerability in the project’s smart contracts and over $8.9 million in tokens were extracted from the project.
The Punk Protocol attacker exploited access control issues within the project’s smart contracts. Using delegate call to run the project’s Initialize function, the attacker was able to change the forge address on the smart contract to their own address.
Many of the privileged functions within the contract are only callable from this forge address. After claiming it, the attacker could call the withdrawTo and withdrawToForge functions to send the tokens stored in the contract to their address.
This hack was another example of an attack where the malicious transaction was frontrun by a bot. This bot observed the attacker’s transaction and performed it first, extracting some of the tokens from the protocol before the attacker could. However, a bug in the bot’s code meant that it could only extract some of the tokens targeted by the attacker.
In the end, the bot extracted roughly $6 million from the protocol and another $3 million was stolen by the attacker. Of this, the owner of the bot returned $5 million in tokens with the remainder claimed as a finder’s fee.
The Punk Protocol attack exploited well-known and common vulnerabilities in the protocol’s smart contracts’ code. These vulnerabilities would likely have been detected and remediated during a security audit; however, the smart contracts were launched without this audit.
Like other recent DeFi hacks, this attack demonstrates the importance of performing security audits on all code before releasing it to the blockchain. In this case, the failure to do so cost Punk Protocol $4 million (between the stolen tokens and the finder’s fee) and could have resulted in a total loss of $8.9 million.