Pike Finance, a decentralized finance (DeFi) lending protocol, fell victim to its second exploit in three days, resulting in the loss of $1.68 million worth of digital assets. According to CertiK, the exploit occurred across the Ethereum, Arbitrum, and Optimism chains on April 30.
Overnight @PikeFinance was exploited for ~$1.68m
The attacker executed the initialize function, adding their address to the _isActive variable
The attacker could then perform an upgradeToAndCall and upgrade to a malicious implementation pic.twitter.com/FyxwlCYkad
— CertiK Alert (@CertiKAlert) May 1, 2024
The attacker exploited a vulnerability in Pike Finance’s smart contract, manipulating the output address and draining the contract of significant assets. CertiK reported that over $1.4 million worth of ETH, $150,000 worth of Optimism (OP) tokens, and over $100,000 worth of Arbitrum (ARB) tokens were stolen.
This incident follows another exploit that occurred on April 26, resulting in a $300,000 loss. Both attacks stemmed from the same smart contract vulnerability, allowing the attacker to override the contract’s functionalities.
In a post on X, Pike Finance explained that the vulnerability caused the contract to behave as if it was uninitialized, bypassing admin access and enabling the withdrawal of funds.
Attention Users:
On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH.
This exploit is related to the initial USDC vulnerability that was reported last week on the 26th of April.
In order to pause the protocol, the spoke…
— Pike (@PikeFinance) May 1, 2024
To address the situation, Pike Finance is offering a 20% reward for the return of the funds or any information leading to their recovery. The protocol is actively investigating the exploit to prevent future incidents and mitigate losses.
In contrast to Pike Finance’s unfortunate situation, the broader cryptocurrency ecosystem saw a decline in hacks and scams during April. According to CertiK’s report, total losses from exploits and scams fell to $25.7 million, the lowest monthly amount since 2021.
Combining all the incidents in April we’ve confirmed ~$25.7m lost to exploits, hacks and scams.
The lowest figure we’ve recorded, dating back to 2021.
A 141% decrease from March
Exit scams: ~$4.3m
Flash loans: ~$129k
Exploits: ~$21mMore details below pic.twitter.com/zfSh8mabzJ
— CertiK Alert (@CertiKAlert) April 30, 2024
This decline, amounting to a 141% decrease from the previous month, was primarily attributed to a reduction in private key compromises. In March, there were 11 attacks against protocols via private key compromises, compared to only three in April.