Unknown attackers recently siphoned digital assets valued at just under $1.6 million from the decentralized finance protocol, Pike Finance. The protocol announced it is offering a 20% reward for the return of the funds, while an ongoing investigation into the incident continues.
USDC Vulnerability
The decentralized finance (defi) protocol, Pike Finance, said on May 1 that its platform had recently been exploited for approximately $1.6 million or 99,970.48 ARB, 64,126 OP, and 479.39 ETH. According to Pike Finance, the latest exploit, which occurred on April 30, is connected to a USDC vulnerability initially reported four days earlier.
In a statement issued via X, Pike Finance said it is offering a 20% reward for the return of the funds while an investigation into the incident is ongoing. The same reward is also being offered for information that leads to the return of the stolen funds.
Detailing the sequence of events leading to the attack, Pike Finance suggested that the inclusion of an additional dependency within the smart contract code may have helped trigger the attack.
“This dependency introduced new variables which altered the storage layout – in particular, the position of the initialized variable. As a result, the position occupied by the initialized variable was taken over by other variables, leading to a misalignment in storage mapping. This misalignment caused the contract to behave as if it was uninitialized, since the initialized variable could no longer be accessed,” Pike Finance said.
The statement added that the attackers were able to upgrade the spoke contracts, which in turn enabled them to bypass admin access and therefore steal the funds. Pike Finance said it plans to issue a report and plan on how to make users whole again at a later date.