$pickle in a pickle as attacker swipes $20 million in ‘evil jar’ exploit

Published at: Nov. 21, 2020

In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million. 

The attack transpired roughly two hours ago, and ETH-savvy Twitter users were quick to notice that pickle’s cDAI jar — Pickle’s term for a yield-bearing vault — had been emptied:

I think @picklefinance's cDAI jar just got attacked and drained. https://t.co/Lxwi2dWSSZ pic.twitter.com/nUBE1KjEPh

— mattyb (@mattybchats) November 21, 2020

Unlike other recent attacks however, this particular exploit did not feature flashloans — an increasingly maligned DeFi tool that allows would-be exploiters additional liquidity with which to manipulate on-chain prices. Instead, this hacker swapped funds between a malicious copycat contract and the cDAI jar. 

In an interview with Cointelegraph, Emiliano Bonassi — a self-described whitehat hacker and the co-founder of DeFi Italy — explained that the attacker created “evil jars, ” smart contracts which “have the same interface of traditional jars but do bad things.”

The attacker then swapped funds between his “evil jar” and the real cDAI jar, making off with the $20 million in deposits.

Evil jars deployed during the attack and passed in the swapExactJarForJar, investigating more on thishttps://t.co/szRloiecV8https://t.co/l2xT4zhQB1The are sensible ops executed in that method (e.g. approve, withdraw etc). pic.twitter.com/29RNkF4vJb

— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 21, 2020

Particularly after the attack on Harvest Finance, Pickle Finance had looked to be on its way towards becoming one of the preeminent farming protocols. As of press time, Pickle’s stats website reported nearly $75 million total value locked remaining on the books, while the price of pickle, Pickle Finance’s governance token, is down 50% on the day to $11.16.

Pickle Finance’s woes are just the latest in a troubling trend across the DeFi space. Recent exploit victims in just the last few weeks include Harvest Finance, Value DeFi, Akropolis, Cheese Bank, and Origin Dollar, among others.

Perhaps, however, the vulnerabilities of one DeFi vertical might lead to the success of another. Said one Twitter trader:

Security audits are a meme.The new "audit" will be having proper insurance coverage.$Nsure $Cover

— Cope_Infinitum (@CryptoMessiah) November 21, 2020
Tags
Related Posts
How do DeFi protocols get hacked?
The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it stands at above $140 billion. Such rapid growth in a new market could not but attract the attention of all manner of hackers and fraudsters. According to a report by crypto research company, since 2019, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks. Hacks of blockchain ecosystems …
Technology / Aug. 14, 2021
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Can Web3 be hacked? Is the decentralized internet safer?
Web3 came into existence posed as a blockchain-powered disruption to the current state of the internet. Yet, as a nascent technology, a fog of assumptions plagues discussions about the real capabilities of Web3 and its role in our day-to-day lives. Considering the promise of a decentralized internet using public blockchains, a complete transition to Web3 would require scrutiny across several factors. Out of the lot, security stands as one of the most crucial features as, in a Web3-powered world, tools and applications hosted over the blockchains go mainstream. Smart contract vulnerabilities While the blockchains that host Web3 applications remain impenetrable …
Adoption / Aug. 21, 2022