Pythia Finance Hit by Reentrancy Attack
On September 3, Pythia Finance, a decentralized finance protocol known for its algorithmic stablecoin project, faced a reentrancy attack resulting in a loss of $53,000. According to blockchain security firm Quill Audits, the attacker exploited a vulnerability in the “claim rewards” function. By repeatedly calling this function without allowing the reward balance to update, the attacker collected more rewards than they were entitled to.
Quill Audits explained that the attacker could execute this because Pythia’s code called the token’s “safe transfer” function during reward distribution. This allowed a malicious token contract to repeatedly call back the function, creating a loop that drained the protocol’s funds.
The audit report from Quill Audits showed no unresolved security issues, suggesting that Pythia’s team may have upgraded the contract to prevent further exploitation.
Understanding Reentrancy Attacks
Reentrancy attacks occur when an attacker repeatedly calls a function without allowing its code to fully execute. This common smart contract exploit can lead to significant financial losses if not mitigated.
Zyxel Critical Vulnerability
On September 4, Zyxel, a networking hardware manufacturer, disclosed a critical vulnerability in some of its devices. This flaw could allow attackers to execute code on users’ routers and access points, potentially giving hackers access to users’ devices.
The vulnerability stemmed from improper neutralization of special elements in the CGI program’s “host” parameter. This allowed unauthenticated attackers to execute OS commands by sending a crafted cookie to a vulnerable device.
Risks for Crypto Wallet Users
Crypto wallet users should be particularly cautious, as attackers gaining access to home networks could redirect traffic through DNS spoofing, view unencrypted data, or use deep packet inspection to decrypt encrypted data. This information could then be used for social engineering attacks to convince users to approve transactions or share private keys.
Zyxel has listed potentially affected devices, including:
- NWA50AX PRO
- NWA90AX
- WAC500
- USG LITE 60AX router
and advised users to upgrade their firmware.
Penpie Exploit: A Case of Permissionless Pools
The Penpie protocol suffered a $27 million exploit due to a flaw that allowed any user to create a Pendle market. Blockchain security firm Zokyo reported on September 4 that the vulnerability lay in the “registerPenpiePool” function, which lets users register a new pool address and Pendle Market.
To prevent malicious registrations, the function checks if the Pendle Market is listed in Pendle Finance’s factory contract. However, any user could get their market listed by calling the createNewMarket function in the factory contract, effectively allowing anyone to register a Pendle Market.
Exploiting the Vulnerability
The attacker exploited this flaw to create a fake Pendle Market and pool, designed to provide valuable Pendle tokens as rewards. The protocol also had a reentrancy flaw that allowed the attacker to repeatedly deposit tokens before balances could update, inflating rewards artificially. The attacker then withdrew the deposit and claimed the rewards, draining over $27 million.
Zokyo noted that the reentrancy flaw existed in the version they audited. However, only the protocol team could register a new pool and market at that time, preventing external attackers from exploiting it. The Penpie team later introduced “permissionless pool registration,” which was not fully audited in conjunction with the older contracts, leading to the exploit.
Moving Forward
Penpie has pledged to conduct periodic audits of the entire protocol to prevent future incidents. This exploit highlights the importance of comprehensive security audits, especially when introducing new features or updates.
Conclusion
The recent security incidents involving Pythia Finance, Zyxel, and Penpie underscore the critical importance of thorough security measures in the crypto and tech industries. Reentrancy attacks and vulnerabilities in networking hardware can lead to significant financial losses and security breaches. Regular, comprehensive security audits and prompt updates are essential to mitigate these risks and protect users.
These events serve as a reminder of the ever-evolving nature of security threats and the need for vigilance in safeguarding digital assets and infrastructure.
