Beosin: Penpie was attacked and lost about $27 million in assets. Analysis of the attack

Odaily News According to Beosin Alert monitoring, Penpie, a DeFi protocol built on Pendle, was hacked and about $27 million in crypto assets were stolen. Beosin briefly analyzed the incident as follows: The attacker used the claimRewards function in the market contract to re-enter the stake to increase the balance of the staking contract, and then extracted the excess tokens and staked assets of the taking contract to make a profit. 1. The attacker first created an attack contract and built the corresponding market contract through the official factory; 2. The batchHarvestMarketRewards function of the staking contract was called to update the rewards for the market; 3. When updating the reward, the claimRewards function of the attack contract will be called back, and this function will re-enter the stake to pledge the assets obtained by the flash loan, resulting in a quantity difference in the assets of the staking contract, and extract the excess; 4. The attacker extracts the pledged assets and returns the flash loan for profit.