Nearly $20M Drained from DAI Pickle Jar in A ‘Very Complicated Attack’ on its Latest Version

Deposits in the DeFi project Pickle Finance have come down to $23.6 billion from $163 million on Nov. 5th and an all-time high of $344.5 billion on 16th Sept. So, the decline that came after the exploit the project experienced over the weekend didn’t affect it much, as the funds are around the level they were in October.

The price of the governance token of the project PICKLE token did crash hard, 62.6% to $8.70, and is currently around $12, as per Coingecko.

What transpired was on Nov. 21 at 06:37 PM (UTC), the pDAI PickleJar of the project was hacked, and 19,759,355 DAI were drained.

Victims have been communicating with the attacker asking them to return their funds, but the hacker hasn't responded or moved any funds.

As per the reverse-engineering done by a group of white hat hackers, it was a “very complicated attack” that involved many components of the protocol.


Source: Evil Jar Technical Post-mortem by Banteg

The Pickle Finance DeFi project is designed to help maintain the peg of stablecoins with farming incentives whose Pickle Jars are forked versions of Yearn Vaults v1 with modifications. A Controller contract controls these jars.

Its latest version enabled direct swaps between Jars, and this added swap functionality was what was leveraged together with multiple design flaws by the hacker to execute the attack, reported Banteg.

Interestingly, the project was audited by Haechi last month, which found no critical or major issues. But this was done before the latest functionality. The auditing team on Twitter said,

“The exploit occurred in a newly created smart contract, not a smart contract subject to security audit.”

The same day of the attack, at 3:15 PM (UTC), the offending code was revoked by executing a Timelock transaction and further from the Controller, which was required for the indemnified attack vector. The team on Twitter said,

“Several aspects of the PickleJar controller have been patched. This means that the PickleJars are now safe from the same attack vector. Deposits in other Jars may resume, but please refrain from depositing in the DAI Jar for now.”

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide