$pickle in a pickle as attacker swipes $20 million in “evil jar” exploit
In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million.
The attack transpired roughly two hours ago, and ETH-savvy Twitter users were quick to notice that pickle’s cDAI jar — Pickle’s term for a yield-bearing vault — had been emptied:
I think @picklefinance’s cDAI jar just got attacked and drained. https://t.co/Lxwi2dWSSZ pic.twitter.com/nUBE1KjEPh
— mattyb (@mattybchats) November 21, 2020
Unlike other recent attacks however, this particular exploit did not feature flashloans — an increasingly maligned DeFi tool that allows would-be exploiters additional liquidity with which to manipulate on-chain prices. Instead, this hacker swapped funds between a malicious copycat contract and the cDAI jar.
In an interview with Cointelegraph, Emiliano Bonassi — a self-described whitehat hacker and the co-founder of DeFi Italy — explained that the attacker created “evil jars, ” smart contracts which “have the same interface of traditional jars but do bad things.”
The attacker then swapped funds between his “evil jar” and the real cDAI jar, making off with the $20 million in deposits.
Evil jars deployed during the attack and passed in the swapExactJarForJar, investigating more on thishttps://t.co/szRloiecV8https://t.co/l2xT4zhQB1
The are sensible ops executed in that method (e.g. approve, withdraw etc). pic.twitter.com/29RNkF4vJb
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 21, 2020
Particularly after the attack on Harvest Finance, Pickle Finance had looked to be on its way towards becoming one of the preeminent farming protocols. As of press time, Pickle’s stats website reported nearly $75 million total value locked remaining on the books, while the price of pickle, Pickle Finance’s governance token, is down 50% on the day to $11.16.
Pickle Finance’s woes are just the latest in a troubling trend across the DeFi space. Recent exploit victims in just the last few weeks include Harvest Finance, Value DeFi, Akropolis, Cheese Bank, and Origin Dollar, among others.
Perhaps, however, the vulnerabilities of one DeFi vertical might lead to the success of another. Said one Twitter trader:
Security audits are a meme.
The new “audit” will be having proper insurance coverage.$Nsure $Cover
— Cope_Infinitum (@CryptoMessiah) November 21, 2020