- Pike Finance clarified that USDC’s product offerings had nothing to do with the security lapse that led to the $1.6M exploit on its network.
- The exploit occurred due to Pike’s inadequate integration of third-party technologies like the Cross-Chain Transfer Protocol (CCTP) and Gelato Networks automation services.
- The root cause of the exploit was a vulnerability in Pike’s smart contract that allowed attackers to bypass admin access and withdraw funds, which was previously identified but not addressed in time.
Pike Finance, a decentralized finance (DeFi) protocol, recently experienced a $1.6 million exploit due to a vulnerability in their smart contracts. They had originally attributed the issue to a vulnerability in USDC, but later clarified that this was not the case.
The Exploit and Initial Statement
On April 30th, an attacker exploited a vulnerability in Pike Finance’s smart contracts to drain about $1.68 million worth of assets across multiple blockchains. This included $1.4 million in ETH, $150,000 in Optimism (OP), and $100,000 in Arbitrum (ARB) tokens.
In their initial statement about the hack, Pike Finance claimed “This exploit is related to the initial USDC vulnerability that was reported last week on the 26th of April.” This seemed to imply the issue was with USDC itself.
Pike Finance Retracts Original Statement
However, Pike Finance later retracted their original statement, explaining that the wording they used did not accurately describe what happened.
They clarified that the exploit was caused by vulnerabilities in Pike’s own smart contract functions when handling transfers using Circle’s Cross-Chain Transfer Protocol (CCTP) service. The root cause was unrelated to any issues with Circle’s USDC product itself.
The Cause of the Exploit
Pike explained that the exploit resulted from their team’s improper integration of third-party technologies like CCTP and Gelato Network’s automation services.
Their auditing partner OtterSec had already identified the vulnerability that enabled the first hack on April 26th, but Pike’s developers failed to address it in time. This allowed the attacker to bypass admin controls and withdraw funds during the second hack a few days later.
Conclusion
While unfortunate, this event highlights the need for robust smart contract auditing and rapid response to identified vulnerabilities. Pike Finance’s clarification absolves USDC of blame, placing responsibility for the exploit solely on their own inadequate security practices. The DeFi space continues to prove it has a lot of maturing left to do.