Penpie Hack: How Over $27 Million in Ether Was Stolen and Laundered

The world of decentralized finance (DeFi) has offered investors opportunities and rewards that were unimaginable a decade ago. However, with its benefits come significant risks, as DeFi platforms are frequent targets of hacking exploits. One of the most recent incidents occurred on September 3, when the Penpie DeFi platform became the victim of a substantial hack. The hacker stole over $27 million worth of Ether (ETH) due to a reentrancy vulnerability in the Pendle staking market, which allowed unauthorized withdrawals.

This article explores how the hack unfolded, the laundering of the stolen funds, and Penpie's response to the attack.

Penpie Hack: A Reentrancy Vulnerability Exploited

The Penpie platform, built on both the Arbitrum and Ethereum networks, was a prime target for exploitation due to a reentrancy vulnerability in its Pendle staking market. Reentrancy vulnerabilities allow attackers to manipulate a smart contract's state by repeatedly calling a function before the previous execution is completed, effectively draining funds from the platform.

On September 3, the hacker identified and exploited this vulnerability, stealing a substantial sum of Ether. In total, the hacker made away with over $27 million in ETH, one of the most significant sums stolen in recent DeFi hacks. The funds were siphoned off from both the Arbitrum and Ethereum blockchains, highlighting the risks present across various blockchain networks.

Laundering the Stolen Ether: Tornado Cash Involvement

After the hacker successfully executed the exploit and gained control of the funds, the next step was to obscure the stolen funds’ origin. On September 6, three days after the hack, the hacker began the process of laundering the stolen Ether by transferring it to Tornado Cash, a well-known crypto mixer.

Tornado Cash allows users to mix their Ether with other users’ funds, effectively obscuring the transaction history and making it significantly more challenging to trace the source of the funds. While Tornado Cash was designed with privacy in mind, it has also become a favorite tool for hackers seeking to launder stolen crypto assets.

The hacker transferred the funds in multiple batches, carefully distributing 9,600 ETH—approximately $23 million—over the course of two days. By using Tornado Cash, the hacker aimed to cover their tracks and make the stolen assets harder to recover or trace.

Final Transfers: September 8 Marked the Completion of Laundering

On September 8, the hacker completed the laundering process. The remaining 1,661 ETH, worth millions of dollars, was funneled through the same intermediary address used for previous transfers. From there, the funds were sent through Tornado Cash, finalizing the transfer and laundering of all the stolen assets.

By the end of this series of transactions, the hacker had successfully moved the entirety of the $27 million in Ether through Tornado Cash, effectively making the assets difficult to recover. This sequence of events underscored the challenges that blockchain networks and DeFi platforms face when dealing with security breaches, particularly in an environment where hackers have access to sophisticated tools like Tornado Cash.

Failed Negotiations: Penpie’s Effort to Recover the Funds

In the immediate aftermath of the hack, Penpie’s team tried to establish communication with the hacker, hoping to recover the stolen assets. The DeFi platform offered a bounty in exchange for the safe return of the stolen Ether. This type of negotiation has worked in some previous cases within the DeFi world, where hackers returned funds in exchange for a portion of the value as a reward. This practice is sometimes referred to as “white-hat” hacking, where hackers exploit vulnerabilities to expose weaknesses rather than for malicious intent.

Unfortunately, Penpie’s offer was ignored by the hacker. Despite the platform’s efforts to negotiate, the hacker remained unresponsive, proceeding with the laundering process.

With no progress made in recovering the funds, Penpie escalated its efforts by announcing a $2.7 million bounty. The bounty, representing 10% of the stolen amount, was offered to anyone who could provide information leading to the identification and recovery of the stolen Ether.

Hacker Praise: The Euler Finance Exploiter’s Congratulatory Message

Adding an unexpected twist to the aftermath of the Penpie hack was a comment from the Euler Finance exploiter, who praised the Penpie hacker for the successful execution of the exploit.

For context, Euler Finance was another DeFi platform that fell victim to a massive hack earlier in 2023, in which hundreds of millions of dollars were stolen. The Euler Finance hacker's congratulatory comment might have seemed like a nod of approval from one hacker to another, adding a degree of notoriety to the Penpie hacker’s actions.

This strange interaction further highlights the mentality shared by some within the hacking community, where exploits are seen as technical achievements rather than criminal acts.

What’s Next for Penpie and the DeFi Community?

The Penpie hack serves as yet another reminder of the vulnerabilities that exist within decentralized finance platforms. While the concept of DeFi promises open and permissionless access to financial products, the technology remains in a relatively nascent stage, with many platforms still susceptible to sophisticated attacks.

The use of crypto mixers like Tornado Cash has also sparked debate within the blockchain community about the balance between privacy and security. While these tools provide privacy for users, they also offer bad actors a way to launder stolen funds without leaving a traceable trail. The widespread use of Tornado Cash by hackers has even led to increased scrutiny from regulators, with some calling for stricter controls on the use of such privacy tools.

Penpie’s Recovery Efforts

At the moment, it’s unclear if Penpie will be able to recover the stolen Ether. Despite the offer of a $2.7 million bounty, there has been no public update on any breakthroughs in recovering the funds. The platform’s users are left waiting, wondering if they’ll see any of their lost investments returned.

Penpie’s incident is likely to drive home the importance of security audits for DeFi platforms. While Penpie’s team is undoubtedly working on improving security measures, other platforms in the space will also need to learn from this exploit to avoid suffering similar fates.

Conclusion

The Penpie hack is a stark reminder of the challenges and risks that accompany the rapid growth of decentralized finance. With over $27 million in Ether stolen and successfully laundered through Tornado Cash, this incident demonstrates the vulnerabilities that exist in the DeFi space. As the community continues to grow, security measures will need to evolve to prevent future exploits. For now, the Penpie platform must navigate the difficult task of recovering its stolen assets, while the broader DeFi ecosystem braces itself for the next potential attack.