DeFi lender Pike Finance loses $1.9M to two hacks in less than a week

Pike Finance has been hacked for the second time in four days, with losses across the two incidents totaling approximately $1.9 million.

In response to the first hack, on April 26, the team immediately paused the protocol. However, this opened up a new vulnerability that was exploited between 21:45 and 22:20 (UTC) on April 30.

Crypto security firm Ancilia quickly identified three malicious transactions on the Optimism, Arbitrum, and Ethereum networks. Ancilia states the attacker was able to ‘upgrade’ and take control of the Pike Finance contracts, which allowed them to withdraw the funds held within.

The stolen assets were swapped to ETH and consolidated in the attacker’s Ethereum address before being deposited into privacy protocol Railgun.

Read more: Hackers switching to centralized exchanges to fund crypto attacks

The hack was acknowledged by the Pike team on X (formerly Twitter). The post put the losses at approximately 64k OP ($150,000), 100k ARB ($105,000), and 480 ETH ($1.4 million) and admitted that the hack was related to the previous incident.

The last time Pike Finance was hacked (three days ago), it suffered losses of around $300,000 worth of the USDC stablecoin. The resulting funds were swapped for ETH and transferred to the crypto-mixing service Tornado Cash.

According to the earlier incident’s post-mortem report, the protocol was paused to prevent any further losses while the incident was investigated. The report also admits that the vulnerability had been reported by auditors OtterSec, but that the Pike team “was unable to address the identified vulnerability in a timely manner.”

However, as described in today’s response to the second hack, pausing the contracts inadvertently introduced “an additional dependency within the smart contract code.” This led to a “misalignment in storage mapping” which the attacker could take advantage of, reinitializing the contract and assuming full control.

Pike Finance has offered a 20% bounty for the return of the funds and has promised to provide a “plan to make users whole.”

The community’s opinions on this response can be seen in the Pike Finance Discord.

Read more: Tornado Cash funds ‘at risk’ after hacker injects malicious code

After being hit twice in a row, users are understandably upset, and some have suggested that Pike Finance refund pre-sale investments.

This in itself has, predictably, opened up another potential attack vector as scam replies (impersonating the Pike Finance account) promise a refund to victims as part of a common phishing technique.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on XInstagramBluesky, and Google News, or subscribe to our YouTube channel.