The rising popularity of Decentralized Finance [DeFi] is not only attracting investors but is also attracting a lot of attention from hackers and online thieves. In the most recent case, Pickle Finance’s DeFi protocol has been the latest victim of what appears to be an exploit of an astounding $20 million.
As revealed by the user under the pseudonym “statelayer.eth.”, Pickle Finance deployed a new strategy in a bid to maximize returns from the stablecoin DAI. This was claimed to have been posted by a team member for Pickle on a Discord chat. It is important to note that the DeFi platform essentially moves investors’ money around different protocols to maximize returns.
— state (@statelayer) November 21, 2020
However, many users noticed that Pickle Finance’s yield-bearing vault which it calls cDAI jar had been emptied as someone allegedly drained $19.7 million in the stablecoin from that wallet. The attackers in question reportedly swapped the funds between his “evil jar” and the real cDAI jar, making off with the stolen funds in deposits.
Pickle Finance’s breach is the 13th largest hacking attack on decentralized finance platforms revealed so far in 2020. Several DeFi protocols have been the victims of flash loan-based oracle attacks, while the most attacked platform was bZx Protocol, the project with the biggest loss was Harvest. Additionally, Maker also lost funds worth $ 8.3 million for the attack in March this year.
This month itself, three cases of flash loan attacks were observed. Acropolis lost $2 million, which it has not yet recovered. Just two days later, Value protocol was drained off a $ 7.4 million in an attack. This was followed by Origin Protocol’s yield-generating stablecoin protocol attacked and drained by nearly $7 million.
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 21, 2020
But unlike the prior flash loan attacks that have plagued the DeFi realm over the past couple of months, Pickle Finance’s hackers basically leveraged a bug related to Pickle’s Swap Jar functionality, which allowed yield farming strategies to be swapped. According to experts, there was no check to determine that the Jar the funds were being swapped into was not malicious.