$28M Penpie Exploit Detected Within Seconds by CUBE3.AI

In a swift attack on Penpie, a hacker facilitated the theft of $28M across Ethereum and Arbitrum by using a flash loan from Balancer. CUBE3.AI’s models detected the exploit contract merely 32 seconds after deployment, and 10 minutes before the first malicious transaction, highlighting the need for real-time security measures in the web3 space.

Key Details:

Chain: Ethereum, Arbitrum
Total loss: $28 million
Attacker Address: 0x7a2f4d625fb21f5e51562ce8dc2e722e12a61d1b (Ethereum & Arbitrum)
Exploit Contract: 0xcde2cd6aeaaf0238f4ce33295be13704e4a97de2 (Ethereum)
Flash Loan Provider: Balancer
Victim: Penpie

The Attack

On Sep 3, 2024, CUBE3.AI’s detection system flagged a contract created by the attacker. Just 10 minutes later, the first malicious transaction drained a significant portion of funds. Here’s a breakdown of the malicious transactions:

Ethereum
- Transaction Hash: 0x56e09abb35ff12271fdb38ff8a23e4d4a7396844426a94c4d3af2e8b7a0a2813
- Loss: $16.35M

Ethereum
- Transaction Hash: 0x42b2ec27c732100dd9037c76da415e10329ea41598de453bb0c0c9ea7ce0d8e5
- Loss: $5.74M

Ethereum
- Transaction Hash: 0x663b55a1ee992603f7636ef23ff5cf19d3b261ab81494d06e218c86482df5342
- Loss: $5.44M

Arbitrum
- Transaction Hash: 0x67c5400da117b906f8c0fc5f5149e4ea10ed6358cd9ea2ec0ed8f559d757b7df
- Loss: $678K

These transactions resulted in a total loss of $28M across both chains.

Anatomy of the Exploit

The attack exploited a vulnerability in the _harvestBatchMarketRewards internal function in the PendleStaking implementation (0xff51c6b493c1e4df4e491865352353eadff0f9f8), which initiated an external call to another contract. The attacker manipulated this call, redirecting it to the exploit contract, creating a double-spend reentrancy vulnerability.

Leveraging a flash loan from Balancer, the attacker orchestrated a complex exploit across two chains—Ethereum and Arbitrum. With the loaned funds, the attacker executed multiple transactions designed to manipulate the protocol and drain assets from Penpie’s contracts.

Conclusion

Following the attack, the Penpie team responded swiftly by pausing all deposits and withdrawals to prevent further damage and address the exploit. While their quick action is commendable, the need to manually pause smart contracts reveals a vulnerability in many existing security setups.

With CUBE3.AI’s real-time fraud detection, projects like Penpie can avoid the need for such pauses. CUBE3.AI’s Runtime Application Self-Protection (RASP) detects and blocks malicious transactions before they cause damage, preventing the need for emergency measures like halting contract activity.

By leveraging CUBE3.AI’s proactive security solutions, blockchain projects can maintain continuous operations, safeguarding assets and providing uninterrupted service to their users—even in the face of sophisticated attacks.

Sarunas Matulevicius

Sep 5 12min read

CUBE3.AI Ongoing Product Release Notes

At CUBE3, we’re constantly upgrading the product and making iterative improvements. This post will be updated with the most recent CUBE3 product release notes.

CUBE3.AI

Nov 14 6min read

Preparing for MiCA and AMLD Compliance: What Crypto Providers Need to Know

Introduction: Navigating MiCA and AMLD Requirements with Confidence As the crypto landscape matures, regulatory standards like the Markets in Crypto-Assets (MiCA) and the Anti-Money Laundering Directive (AMLD) in the European Union are becoming central to compliance requirements for crypto-asset service providers (CASPs). These regulations are designed to increase market transparency, protect clients, and curb financial

CUBE3.AI

Oct 22 4min read

Fraud is Outpacing Hacking Exploits (CUBE3.AI Can Help Stop It)

Fraud is devastating lives and recently began to outpace hacking exploits according to the FBI. CUBE3.AI is the future of real-time fraud prevention.

Antal Nagy

Oct 11 4min read

$2.28M Phishing Fraud on Aave: Detected by CUBE3.AI Before It Happened

On October 9, 2024, a sophisticated phishing exploit targeted a high-value wallet on Aave, resulting in the loss of approximately $2.28 million worth of aEthsDAI tokens. This attack sheds light on a cunning tactic used by fraudsters to bypass standard security measures by manipulating token approvals. Notably, CUBE3.AI had already flagged the attacker’s wallet back

$28M Penpie Exploit Detected Within Seconds by CUBE3.AI

The Attack

Anatomy of the Exploit

Conclusion

$2.28M Phishing Fraud on Aave: Detected by CUBE3.AI Before It Happened

CUBE3 and Space and Time Partner to Make Web3 Safer

Exploring the Web3 Security Stack

CUBE3.AI Ongoing Product Release Notes

Mastercard Selects CUBE3.AI for Start Path

Introducing Real-Time Web3 Transaction Security by CUBE3.AI

CUBE3.AI Ongoing Product Release Notes

Preparing for MiCA and AMLD Compliance: What Crypto Providers Need to Know

Fraud is Outpacing Hacking Exploits (CUBE3.AI Can Help Stop It)

$2.28M Phishing Fraud on Aave: Detected by CUBE3.AI Before It Happened

Stay informed, stay protected.
Get the latest web3 security news first

Partners & Clients

Investors & Accelerators

We’re ISO27001 and GDPR compliant

$28M Penpie Exploit Detected Within Seconds by CUBE3.AI

The Attack

Anatomy of the Exploit

Conclusion

$2.28M Phishing Fraud on Aave: Detected by CUBE3.AI Before It Happened

CUBE3 and Space and Time Partner to Make Web3 Safer

Exploring the Web3 Security Stack

CUBE3.AI Ongoing Product Release Notes

Mastercard Selects CUBE3.AI for Start Path

Introducing Real-Time Web3 Transaction Security by CUBE3.AI

CUBE3.AI Ongoing Product Release Notes

Preparing for MiCA and AMLD Compliance: What Crypto Providers Need to Know

Fraud is Outpacing Hacking Exploits (CUBE3.AI Can Help Stop It)

$2.28M Phishing Fraud on Aave: Detected by CUBE3.AI Before It Happened

Stay informed, stay protected.Get the latest web3 security news first

Partners & Clients

Investors & Accelerators

We’re ISO27001 and GDPR compliant

Stay informed, stay protected.
Get the latest web3 security news first