Pike Finance admits to error following $1.7 million exploit, denies fault of USDC
The DeFi protocol backtracked earlier statements connecting the exploit of its platform to a USDC vulnerability.
On May 1, DeFi protocol Pike Finance corrected its description of a recent exploit and said it was not caused by a USDC vulnerability, as previously stated.
According to the company’s latest statement:
“The term ‘USDC vulnerability’ was inaccurate for summarizing last week’s exploit.”
Instead, weaknesses in Pike’s contract functions, particularly issues related to the handling of transfers on Circle’s Cross-Chain Transfer Protocol (CCTP), allowed the incident to occur.
It added that the root cause of the exploit was unrelated to the “functionality and robustness” of Circle’s USDC enabled by CCTP or Gelato — a smart contract automation protocol.
Pike Finance originally admitted full responsibility in its explanation of the first April 26 attack, noting the exploit was a “consequence of the protocol [team’s] improper integration” of third-party technologies and that the responsibilities for certain checks lay “solely on Pike as an integrator.”
However, when retrospectively referring to the first attack following the April 30 incident, it misleadingly said it may have been related to a “USDC vulnerability.”
Each attack led to sizeable losses for Pike Finance.
The April 30 attack saw the theft of 99,970.48 ARB, 64,126 OP, and 479.39 ETH. The incident resulted in a loss of $1.7 million, according to Certik data.
The earlier April 26 attack involved the loss of 299,127 USDC on Ethereum, Arbitrum, and Optimism, according to Pike Finance statements.
Cause of each attack
The first attack on April 26 resulted from functions related to USDC transfers on CCTP as automated by Gelato. The vulnerability allowed attackers to change the receiver’s address and amounts, which Pike Finance processed as valid due to its improper integration of the features.
Pike Finance said that its auditing partner, OtterSec, informed it of the issue. The protocol added that it was unable to address the vulnerability before the attack.
The second attack occurred after Pike Finance upgraded its spoke contracts to pause the network. The update ultimately caused the contract to behave as if it were uninitialized, allowing attackers to upgrade the contract, bypass admin access, and withdraw funds.
Pike Finance is one of many DeFi projects that have fallen victim to exploits. However, April showed reduced losses from scams and exploits, according to recent reports.