Another day, another DeFi hack. Pickle Finance just announced that funds deposited in one of its smart contracts were stolen by a hacker hours ago.
The team is still investigating how exactly the hacker stole approximately $20 million in funds. Their wallet is still “dormant” and has not started the “money laundering” phase that tends to follow every hack.
And if a hack was not enough, Pickle Finance’s token (PICKLE) crashed after the news spread, losing almost 58% in a matter of hours.
The Pickle Finance DeFi Hack Was “Well Studied, and Not Easy”
Whoever attacked the protocol stole the funds from Pickle Finance’s DAI PickleJar -or pJar. This Jar contained cDAI tokens issued by Compound when Pickle Finance deposited DAI in that protocol.
Pickle Finance focused on providing an automatic solution for moving funds between various DeFi protocols in order to maximize profits. Hence, they required depositing funds in Compound as a kind of “common ground” for trading and arbitration.
The attack on Pickle Finance is not following the flash loan M.O that hackers seem to be using to exploit vulnerabilities in most of the DeFi protocols. In this case, the hacker created a malicious contract and used it to interact with legitimate contracts.
Emiliano Bonassi, the co-founder of DeFi Italia, described an approximation of whow the hacker managed to steal the $20 million. In short, the attacker created “bad jars,” —contracts with a similar interface to the “good jars” but programmed differently. The attacker then exchanged funds between his “bad jar” and the real cDAI Jar, taking the $20 million in deposits.
The are sensible ops executed in that method (e.g. approve, withdraw etc). pic.twitter.com/29RNkF4vJb
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 21, 2020
The process, says Bonassi, was extremely complex,”well studied, and not easy.” However, even he finds it curious that the hacker didn’t rely on flash loans.
DeFi is Great… DeFi Hacks, Not So Much
The recent wave of DeFi hacks may be a sign of how immature the ecosystem is and why some argue that, right now, DeFi is in no way competition for the more secure and stable traditional centralized finance protocols.
The most recent cases of attacked protocols are Value DeFi, Harvest Finance, Akropolis, and Balancer. All of them have caused millions of dollars in losses to investors, many of whom had no chances to get their money back due to the projects’ decentralized nature.
However, as hacks become more popular, the quality of DeFi protocols —and the number of new products— improves. In a way, trying to get a positive spin on something that hardly has one, the pain caused by the hacks has helped strengthen the DeFi protocols. One example is Value Defi, which abandoned its private oracle and started using Chainlink after a millionaire hack.
Perhaps in the future, hacks will become less frequent, but just as the DeFi phenomenon resembles the ICO hype of 2017, the hacks of 2020 will continue to resemble the exit scams of three years ago.