DeFi sector faces another loss in November as an anonymous hacker attacked Pickle Finance and stole $19 million in DAI. This event marks the largest hack in November and the second-largest DeFi hack following Harvest Finance. At the time of writing, the developer team is looking to fix the exploit and bring Pickle Finance back online.
The hack occurred on November 21 when a malicious actor stole exactly $19.7M from the pDAI PickleJar liquidity pool. Shortly after, a skillful Crypto Twitter user reported the incident after seeing a negative balance on the LP’s smart contract.
Before the official developer team released a public statement, the community has already discovered how the hack happened. In contrast to previous exploits, the hacker did not use flash loans this time. Instead, he exploited the project’s code by utilizing a malicious smart contract with the cDAI jar.
The smart contract contained the same interface as the original jar (dev name for LP) which he used to transfer the funds. By doing so, he successfully transferred all the deposit assets from the DAI liquidity pool.
After the Harvest Finance hack, the DeFi community believed that Pickle Finance would replace the yield farming protocol. In the last weeks, the market recorded a significant surge of interest in the alternative platform. However, all progress has now been deleted as a result of the hack.
PICKLE native token halves in price following hack
The native PICKLE token reached a price of $23 before the hack. After discovering the news, investors soon started to sell and dumped the token to $8.7. However, PICKLE bounced after a short time with a significant increase in volume.
At the time of writing, the token costs $12.79. The price action closely resembles the fate of Harvest Finance’s FARM token. In that case, we saw FARM recovering after a sharp drop in price. But ultimately, the token did not recover as strongly as investors believed, seeing that the token now ranges around its local low.
As a result, we see that investors do not regain their original trust following a hack. Their behavior showcases a sudden readiness to quickly migrate to other projects.
Pickle Finance core team issues a report
On November 22, Pickle Finance published a blog post on Medium which described the events. They reported that the pDAI PickleJar lost all of its 19,759,355 DAI. The team also notes that a team of white hat hackers contacted the core developers to figure out how and why the hack happened.
Pickle Finance notes that the two groups reverse-engineered the transaction made by the hacker in order to replicate the attack. In total, 10 people led by anonymous developer ‘Banteg’ worked on the process for almost 4 hours.
The team notes that the attack was incredibly complicated and that it involved many features of Pickle Finance. A few hours later, the team patched the exploit. However, a Twitter post suggested that users should refrain from depositing in the DAI LP for now. Later on, Banteg released a GitHub page which contained a full technical report regarding the hack.
While the team turned on all deposits, it remains to be seen whether DeFi enthusiasts plan to participate in the protocol. It is highly likely that the protocol will attract fewer users than before. Moreover, we believe that the project will not recover if it does not soon publish details of a reimbursement program. By now, the team released no updates discussing returning the DAI assets back to users.