Pike Finance Exploited Twice in Three Days, Over $1.6 Million Lost

On early Wednesday morning, blockchain security firm Cyvers identified several anomalous transactions on the cross-chain lending protocol of Pike Finance. Cyvers further revealed that this suspicious transaction resulted in a substantial financial loss of approximately $1.6 million.

The illicit activity was primarily conducted across Ethereum (ETH), Arbitrum (ARB), and Optimism (OP) blockchains. The intruder leveraged a privacy-focused tool, Railgun, on Arbitrum for their cyberattack.

Pike Finance Suffered Exploitations Twice in Three Days

On-chain surveillance platform CertiK quickly traced the attack’s origins to April 30. It reveals that the attacker used a method to insert a malicious code by invoking the initialize function, which manipulated Pike Finance’s smart contract system.

“[The] attacker was able to initialize Pike Finance’s contract, during which the _isActive variable is set to the attacker’s address. The attacker could then use this privilege to call the contracts upgradeToAndCall function and change the implementation to one that they had created. They were then able to drain the contract’s assets,” CertiK’s representative told BeInCrypto.

Read more: Top 5 Flaws in Crypto Security and How To Avoid Them

Suspicious Transactions in Pike Finance. Source: Cyvers

Following the alerts, Pike Finance finally issued a statement detailing the exploit and its repercussions over its official X account. The protocol claimed a loss of 99,970.48 ARB, 64,126 OP, and 479.39 ETH from this incident.

According to the detailed breakdown provided by Pike Finance, the attacker upgraded the spoke contracts under a previously compromised framework. They then exploited the smart contract’s misaligned storage mapping.

“As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and withdraw funds,” the Pike Finance team wrote.

Pike Finance also highlighted its commitment to investigating the breach further. Additionally, it offers a 20% reward for any information leading to recovering the stolen assets. It will also discuss and announce plans to compensate affected users.

The recent exploit has a connection to a vulnerability in its USD Coin (USDC) withdrawal on April 26. Pike Finance acknowledged that the vulnerability is “due to weak security measures in functions managing USDC transfers via CCTP protocol. A critical flaw was found in the functions meant for burning USDC on a source chain and minting on a target chain, which was automated by Gelato’s services.

Read more: Top 10 Must Have Cryptocurrency Security Tips

“Inadequate protection of this function allowed attackers to manipulate receiver’s address and amounts, which were processed by Pike protocol as valid,” Pike Finance stated in a post-mortem post.

The exploitation saw the loss of 299,127 USDC, affecting three networks — Ethereum, Arbitrum, and Optimism. However, Pike Finance claimed that the incident only affected USDC assets, and all other assets are safe.