Pike Finance clarifies ‘USDC vulnerability’ statement on $1.6M exploit
The decentralized finance (DeFi) protocol Pike has clarified its previous statement regarding a vulnerability found in USDC Coin (USDC). The clarification comes after the platform experienced a $1.6 million exploit on April 30.
On May 1, Pike published an announcement saying that the exploit was related to a vulnerability on USDC and that USDC’s product offerings had nothing to do with the security lapse that the network suffered.
“This exploit is related to the initial USDC vulnerability that was reported last week on the 26th of April.”
However, the DeFi protocol quickly retracted the statement, explaining that the phrase they used did not accurately describe the exploit that transpired.
Pike highlighted that the exploit was caused by lapses in its security measures in its contract functions when handling transfers with the Cross-Chain Transfer Protocol (CCTP), a service provided by USDC-issuer Circle.
Pike clarified that the root cause of the exploit is unrelated to the functionality of Circle’s product offerings.
In a previous announcement, Pike Finance said that its auditing partner had already discovered the vulnerability that caused the first hack on April 26, but their team could not address it. They wrote:
“It is important to clarify that this vulnerability was previously identified by our auditing partner, OtterSec. Our developer team was unable to address the identified vulnerability in a timely manner.”
Pike noted that the exploit resulted from their team’s “improper integration” of third-party technologies like the CCTP or Gelato Network’s automation services.
The initial attack led to the theft of $300,000 worth of digital assets.
Related: April sees $25M in exploits and scams, marking historic low ― CertiK
On April 30, an attacker used a vulnerability in the protocol’s smart contract to drain about $1.68 million across Ethereum, Arbitrum and Optimism. In total, the attacker took $1.4 million in Ether (ETH), $150,000 in Optimism (OP) and about $100,000 in Arbitrum (ARB) tokens.
Pike recognized that both attacks were due to the same smart contract vulnerability. The protocol said that the misalignment in the contract eventually allowed the attackers to bypass admin access and withdraw funds.
Even though hacks still plague the crypto space, data shows that losses in crypto-related hacks showed a sharp decline in April compared to February and March.
On May 1, PeckShield reported that losses from hacks in April dropped to $60 million, a steep jump from February’s $360.8 million and March’s $187.6 million.
Magazine: Web3 gaming won’t exist in 5 years, $656K for best crypto game pitch: Web3 Gamer