Another popular DeFi protocol was jeopardized as Pickle Finance was attacked on Saturday, draining $19.7 million in DAI, a decentralized stablecoin pegged to the USD, from a Pickle wallet.
Pickle emerged on Sept. 11 as one of many food-themed DeFi projects. Being a fully automated system, the users are rewarded with interest payments and token disposal in PICKLE, ether and, stablecoin pairings for providing liquidity to several stablecoin pools.
On Nov 20th, the team launched the cDAI jar, a “new approach” that was missioned to ratchet up the returns from DAI deposited on the decentralized lending protocol Compound. This strategy was specifically exploited by the hacker.
“A sophisticated attack was launched on our protocol resulting in a loss of funds”, confirmed the Pickle Finance team in a tweet.
Succeeding the attack, the price of Pickle Finance’s token, PICKLE, plummeted by 43.8%, according to CoinGecko, estimating to $12.75.
Although, unlike other DeFi fiascos that have been hitting the market for several months, this one doesn’t appear to be a flash loan attack. Instead, this attacker swapped funds between a malicious copycat contract and the cDAI jar.
As stated by Emiliano Bonassi — a self-proclaimed whitehat hacker and the co-founder of DeFi Italy — stated that the hacker deployed “evil jars”, essentially smart contracts that “have the same interface of traditional jars but do bad things”. Using it, the attacker traded funds between his “evil jar” and the real cDAI jar, draining the $20 million.
As reported by Pickle Finance, the attack was indeed very complicated and involved many components of the Pickle protocol. “We’re encouraging all LPs to withdraw their funds from the Jars until the issues have been resolved,” the Pickle team tweeted.
- Funds estimating to approx $20M were lost.
- The attacker swapped funds between his “evil jar” and the real cDAI jar.
- PICKLE fell by 43.8%.