A decentralized finance (Defi) project has been robbed. This time it is Pickle Finance, a relatively new yield farming platform similar to Yearn Finance.
Pickle has now confirmed that as many as $ 19,759,355 DAI have been stolen from the platform.
This DAI was stolen from the CDAI jar of the forum. Vaults are called jars (pots) on Pickle, and the DAI vault is connected to Compound. The specific features of the hack are yet unknown at the time of writing. Pickle reports that the hacker used a very complicated method.
With some well-known figures from the Defi world, the platform team has been exploring the hack using reverse engineering.
Cryptographer ‘Orbxball’ gave his vision of what happened yesterday.
THERE ARE 8 FLAWS UTILIZED IN THIS EXPLOIT. YET, THERE’S ONE THING WORTH POINTING OUT. THIS EXPLOIT ONLY HAPPENS WHEN THESE 8 FLAWS OCCUR AT THE SAME TIME. SO EITHER 1 OF 8 WAS FIXED OR DIDN’T EVEN EXIST, THERE WOULDN’T BE THIS EXPLOIT.
1/ I saw many wrong tweets about the @picklefinance exploit. Let me try to explain it.
It's not an economic exploit. It's more like a traditional CTF combining all coincidence. More details in the following threads.
TL;DR 👇This precisely describes how the exploit works. pic.twitter.com/CjY4GzuSFI
— orb_x_ball (@orbxball) November 22, 2020
He reports that eight errors in the project were used in the hack and that this was only possible because all eight errors co-occurred. Even if only one of these mistakes had been repaired, the hack would have been impossible. The previous series of these attacks were mainly carried out using so-called flash loans.
But this is not the case this time. The attack would be more like the recent hack of Defi platform belonging to Acropolis, from which $2 million DAI was recently stolen. It was reported that Pickle had applied a new strategy to the cDAI jar one day before the incident.
The pickle token has suffered a tremendous blow. The pickle price went down last night from about $22.80 to a low of $ 8.70, a drop of over 60% in a few hours.