The latest affected project in a series of DeFi exploits is Pickle Finance – an automated yield aggregator with a mission to make stablecoins stable. Over the weekend, a hacker was able to exploit Pickle’s code to transfer $19M worth of Dai to an ‘Evil Jar’, leaving most LP’s in a pickle.
The project allows users to deposit stablecoins into interest-earning contracts called ‘Jars’ – Pickle’s spinoffs of strategies coined by Yearn Finance ‘Vaults’.
Not Fully Audited
After launching during the DeFi food craze, Pickle has amassed over $100M in TVL and received an audit. However, the introduction of Jars was not fully audited, allowing one hacker to execute one of the most complex series of transactions to date and transfer funds from the primary Dai Jar into an ‘Evil Jar’. A full recap of the exploit can be found here.
While many were quick to assume the hack was yet another use of flash loans, further investigation showed it was actually a complex arbitrage opportunity. The hacker was able to exploit the lack of whitelists to give themselves the ability to swap funds to and from the main Jar, bypassing a series of checks and balances to make off with $19M in the process.
Now, insurance protocols are voting on whether or not the ‘exploit’ deserves to be compensated through governance. The leading cover provider Nexus Mutual does not support Pickle Finance. Still, a new spinoff called Cover Finance does, and its Snapshot vote has passed to cover the claim. This means that affected users that hold CLAIM tokens will be reimbursed when the redeem tab goes live in the following days.
A group of white hat hackers came together to re-engineer the hack, open sourcing their findings in the process in the hopes of letting other teams learn from Pickle’s mistakes. As for Pickle users, there will not be an IOU issued. However, this morning’s announcement that Pickle Jars will be merging with Yearn means the project lives on.