Pike responds to the vulnerability attack: It has nothing to do with Circle CCTP and Gelato automation services themselves, but there are problems when the team integrates their technology

Odaily News DeFi protocol Pike has clarified its previous statement regarding the USDC pool vulnerability incident. The clarification was issued after the Pike Beta protocol suffered a $1.6 million vulnerability attack on April 30. On May 1, Pike issued a statement stating that the attack was related to the USDC vulnerability, and that USDC-related products had nothing to do with the security vulnerability suffered by its network. "This attack is related to the initial USDC vulnerability reported on April 26." However, Pike quickly clarified and explained that the wording "USDC vulnerability" used in their statement did not accurately describe the vulnerability attack. Pike pointed out that the attack was caused by negligence in the security measures of its contract functions when handling transfers with the Cross-Chain Transfer Protocol (CCTP) provided by USDC issuer Circle. Pike clarified that the root cause of the attack was not related to Circle's product functions. In a previous announcement, Pike stated that its audit partners had discovered the vulnerability that led to the first attack on April 26, but the team was unable to resolve it in time. “To clarify, this vulnerability was previously discovered by our audit partner OtterSec. Our development team was unable to address this discovered vulnerability in a timely manner,” they wrote. Pike noted that the attack was caused by his team’s “improper integration” of third-party technologies, such as CCTP or Gelato Network’s automation services. The initial attack resulted in the theft of $300,000 worth of digital assets. On April 30, attackers exploited a vulnerability in the protocol’s smart contracts to steal approximately $1.68 million on the Ethereum, Arbitrum, and Optimism networks. Overall, attackers stole $1.4 million in ETH, $150,000 in Optimism (OP), and approximately $100,000 in Arbitrum (ARB) tokens. Pike recognized that both attacks were caused by a vulnerability in the same smart contract that allowed the attacker to overwrite the contract. Pike said the misalignment of the contract ultimately enabled the attacker to bypass administrator access and withdraw funds. (Cointelegraph) Earlier on April 27, the cross-chain lending protocol Pike Finance posted on the X platform that the USDC mining pool on the Pike Beta test version was hacked at 8:13 on April 26, losing 299,127 USDC. The root cause of this incident was that the forged CCTP message caused the USDC on the Ethereum, Arbitrum and Optimism chains to be exhausted, while the USDC and other assets on the Base chain were not affected. The team has temporarily stopped the protocol function and is working with two audit partners to resolve the vulnerability and propose a plan to ensure that all affected users will recover soon.