Pythia Faces Reentrancy Attack
Pythia Finance, a decentralized finance protocol, experienced a significant reentrancy attack on September 3, resulting in a loss of $53,000. According to a report by Quill Audits, the attacker exploited Pythia’s “claim rewards” function, repeatedly calling it without updating the reward balance. This allowed the attacker to extract more rewards than they were entitled to.
The root cause was Pythia’s use of the token’s “safe transfer” function during reward distribution. This opened a vulnerability where a malicious token contract could repeatedly call back Pythia, creating a loop that drained the protocol’s funds. Quill Audits’ partial audit suggests that Pythia has since upgraded its contract to prevent similar exploits.
Zyxel’s Critical Vulnerability
On September 4, networking hardware manufacturer Zyxel disclosed a critical firmware vulnerability affecting several networking devices. This flaw could allow attackers to execute code on routers and access points, potentially compromising users’ entire home networks.
The vulnerability stemmed from improper neutralization of special elements in the CGI program’s ‘host’ parameter. An unauthenticated attacker could exploit this by sending a crafted cookie to a vulnerable device, potentially executing OS commands.
Crypto wallet users are particularly at risk. An attacker gaining access to a home network could redirect traffic, view unencrypted data, or decrypt encrypted data using deep packet inspection. This sensitive information could then be used for social engineering attacks. Zyxel has advised users to upgrade their firmware to mitigate this risk.
Penpie Exploit Explained
Penpie, another decentralized finance protocol, suffered a $27 million exploit due to a flaw that allowed any user to create a Pendle market. The vulnerability was identified in a report by Zokyo on September 4. An earlier version of the protocol had been audited by Zokyo, but it did not contain this flaw at that time.
Penpie’s “registerPenpiePool” function was designed to register new pool addresses and Pendle Markets. While it included a modifier to check if the Pendle Market was listed in Pendle Finance’s factory contract, any user could bypass this by calling the createNewMarket function in the factory contract. This effectively allowed any user to create and register a Pendle Market.
The attacker created a fake Pendle Market and pool, setting them up to provide valuable Pendle tokens as rewards. They then exploited a reentrancy flaw to deposit tokens repeatedly, inflating the rewards. The attacker eventually withdrew the deposit and claimed the rewards, draining over $27 million from the protocol.
According to the report, the reentrancy flaw existed in the version audited by Zokyo. However, at that time, only the protocol team could register a new pool and market, which should have prevented an external attacker from exploiting it. Penpie later introduced “permissionless pool registration,” audited by AstraSec, but only the new contracts were in scope. The interaction between the old and new contracts went unnoticed by both audit teams.
Penpie is a decentralized finance protocol aimed at providing yield boosting for Pendle Finance users. The exploit occurred on September 3, revealing significant vulnerabilities in the protocol’s security measures.
Conclusion
The recent exploits in decentralized finance protocols like Pythia and Penpie highlight the importance of thorough and continuous security audits. As these protocols evolve, so do the methods and sophistication of attackers. Regular, comprehensive audits that cover all aspects of the protocol are essential to prevent such costly vulnerabilities. Additionally, users of networking devices like those from Zyxel should remain vigilant and promptly update their firmware to protect against critical vulnerabilities.
