Hack Track: Pike Finance Flow of Funds Analysis
Prachi Pandey
Pike Finance, a platform designed to simplify borrowing and lending digital assets across different blockchains, fell victim to a series of attacks in April 2024. Pike Finance allowed users to interact with their crypto directly on their native blockchains, eliminating the need for a complex "wrapping" process. This innovative approach aimed to streamline DeFi experiences.
However, between April 26th and 30th, hackers exploited a critical vulnerability in Pike Finance's smart contract code. This vulnerability, known as an access control issue, allowed unauthorized access to user funds. The attack spanned across three blockchains: Ethereum, Arbitrum, and Optimism, resulting in a total loss of over $1.98 million.
In a swift response to the hack, Pike Finance issued a statement, saying:
“On the 30th of April 2024, the Pike Beta protocol was exploited for 99,970.48 ARB, 64,126 OP and 479.39 ETH. This exploit is related to the initial USDC vulnerability that was reported last week on the 26th of April.”
Merkle Science’s Flow Funds Analysis:
26th April:
- The exploit stemmed from vulnerabilities in Pike's smart contract functions handling USDC transfers through the Cross-Chain Transfer Protocol (CCTP)
- The attacker could manipulate the receiver's address and amounts during USDC transfers
- Pike Finance, due to improper integration, processed these manipulated transfers as valid, leading to the initial loss of 299,127 USDC worth $299,279.00
30th April:
- This exploit was connected to the initial USDC vulnerability and a subsequent mitigation attempt was made.
- Pike upgraded the spoke contracts to pause the protocol and added a dependency to the smart contract code.
- This additional dependency caused a misalignment in the storage layout, specifically affecting the "initialized" variable.
- The coding error (misalignment) made the "initialized" variable unreadable. As a result, the contract functioned as if it was uninitialized.
- This vulnerability allowed the attacker to upgrade the spoke contracts without admin access and ultimately withdraw funds.
Arbitrum:
99,970.4804 ARB and 3,009.9025 DAI were received in the ARB Exploiter address and were swapped for 34 ETH. Out of this, 33ETH was sent over to the ETH Exploiter address using a cross-chain bridge.
Optimism:
64,126.668 OP tokens (hack proceeds) were swapped for 50.2556 ETH and were sent over to the ETH Exploiter address using a cross-chain bridge.
Ethereum:
The ETH Exploiter received 50.1662 ETH from the OP blockchain and 32.995 from the Arbitrum blockchain in addition to the 479.3938 stolen on the Ethereum blockchain.
Of the total ETH received, 562 ETH was sent over to a DeFi relay protocol named RAILGUN.
What is the RAILGUN Relay?
RAILGUN is a smart contract system designed to provide Zero-Knowledge Privacy (ZK) for any on-chain DApp. In simpler terms, it allows users to engage with DeFi protocols without revealing their transaction details or account information.
How Does RAILGUN Work?
RAILGUN's magic lies in two key technologies:
- ZK-SNARKs: This cryptographic tool enables users to prove they have the necessary funds for a transaction without disclosing the actual amount or their wallet address.
- Relayers: To interact with protocols outside the RAILGUN system, intermediary services called "relayers" come into play. These relayers collect and forward transactions on behalf of users, further anonymizing the process.
Why do attackers use RAILGUN?
- Enhanced Privacy: By utilizing zk-SNARKs and relayers, RAILGUN shields user privacy in both transactions and smart contract interactions within DeFi.
- Decentralized: RAILGUN operates as a fully decentralized application, meaning no single entity controls it.
- Community-Driven: Development and maintenance are driven by a dedicated community of developers and contributors.
- Fee Flexibility: Users can choose to pay relayers a fee for their services or self-relay transactions for a lower cost.