Penpie was stolen over 27 million dollars, will Magpie's 1.3 billion dollar ecosystem be affected?

Author: Xiyou, ChainCatcher

Editor: Marco, ChainCatcher

On September 5, Penpie, a yield product built on the yield tokenization protocol Pendle, stated in its latest security incident report that the hacker attack resulted in a loss of over $27 million worth of ETH.

According to DeFiLlama, the total value locked (TVL) of crypto assets on the Penpie platform is approximately $90 million, with the hacker stealing about one-third of the assets on the platform.

Although the Penpie protocol is not well-known in the crypto space, the DeFi protocols involved have a significant impact on the crypto industry. Firstly, the underlying yield tokenization protocol Pendle manages approximately $2.5 billion in yield-bearing assets such as LST, LRT, and stablecoins. Additionally, as one of the subDAO products created by Magpie, the value of crypto assets locked in the Magpie ecosystem has exceeded $1.3 billion.

Penpie loses $27 million, Pendle token drops over 10% on the same day

On the morning of September 4, it was reported that Penpie, a yield product based on Pendle, was experiencing a hacker attack due to a contract vulnerability, resulting in asset losses exceeding $27 million.

Following the news, the Penpie platform token PNP dropped over 35%, currently fluctuating around $0.9.

Subsequently, Penpie's official statement indicated that all deposit and withdrawal operations had been suspended, and the team was addressing the issue. They also issued an open letter to the hacker, expressing a willingness to negotiate the return of the stolen funds.

In the latest security report on September 5, Penpie stated that a hacker exploited a security vulnerability in its platform, manipulating a fake Pendle market to steal over $27 million worth of ETH assets (specifically 11,113.6 ETH) from the Arbitrum and Ethereum networks.

The users most affected by this attack were those who had stored assets on Penpie from multiple LST asset protocols, mainly including agETH from Kelp DAO, rswETH from Swell, stETH from Lido, sUSDe from Ethena, and gUSDC from Gains.

Penpie is a DeFi yield enhancement governance protocol built on the yield tokenization protocol Pendle, primarily providing veToken services to help users simplify the staking and locking of Pendle tokens (PENDLE) to enhance the yields for Pendle token holders.

As is well known, Pendle allows users to trade yield-bearing assets such as LST and LRT by splitting them into principal tokens (PT) and yield tokens (YT).

The relationship between Penpie and Pendle is similar to that of "Convex and Curve," where users holding Pendle's native tokens can stake their PENDLE tokens through Penpie to receive mPENDLE. Holding mPENDLE not only allows users to earn rewards from the Pendle protocol but also provides an additional layer of rewards in the form of Penpie's native token PNP.

In short, Penpie extracts the processes of staking, locking, voting, and accelerating from Pendle's veToken model, allowing users to operate independently. When users convert PENDLE to mPENDLE, Penpie automatically locks the converted PENDLE as vePENDLE in Pendle Finance, and users can also earn additional rewards in Penpie's native token PNP.

According to Dune data, the amount of vePENDLE staked through Penpie is approximately 12.74 million tokens (worth about $38 million), accounting for nearly 38% of the total vePENDLE holdings, making it the protocol with the highest vePENDLE holdings.

However, this security incident did not significantly impact Pendle's assets, as the hacker primarily targeted the assets in the non-permissioned liquidity pools on the Penpie platform.

In May of this year, the Penpie platform introduced a non-permissioned asset pool feature, allowing users on Pendle to create any LP liquidity pool for PT or YT tokens, such as Swell's rswETH LP. Users can deposit LPs on the Penpie platform to earn an additional PNP token reward, achieving multiple benefits.

This security attack involved the hacker exploiting vulnerabilities in the Penpie platform to create a fake Pendle liquidity pool to facilitate the transfer of funds.

After the security incident was reported, Pendle first stated that it had quickly suspended related contracts, effectively protecting approximately $105 million. Soon after, they announced that all contract operations on Pendle had resumed, and trading could proceed normally. The security vulnerability was limited to the Penpie platform, and assets on Pendle remained unaffected and secure.

Additionally, another yield enhancement protocol on Pendle, Equilibria, stated that its platform assets were secure, as its contract code differs from Penpie. Adding Pendle market pools on Equilibria requires approval from the core team, and there is a 7-day waiting period for reward distribution.

However, on the day Penpie was attacked, the Pendle token (PENDLE) dropped over 10%, currently priced at $2.79.

What impact does the Penpie theft have on Magpie's products?

As one of the representative products created by Magpie, the security incident at Penpie has raised concerns among crypto community users regarding its impact on the Magpie ecosystem. Currently, Magpie's products have penetrated multiple DeFi protocols, and a concentrated security issue could have a massive impact.

Magpie is a multi-chain DeFi management platform, affectionately referred to as "Magpie" by the Chinese community. It primarily provides yield enhancement services to users of DeFi protocols that adopt the veToken economic model and is currently focused on providing restaking services for LST/LRT.

Unlike common cross-chain DEXs and other DeFi products, the Magpie platform creates, expands, and manages multiple DeFi protocols within its ecosystem through a SubDAO model. Each SubDAO operates independently, responsible for its own protocol, and issues its governance tokens, with 15-20% of the governance tokens issued by each SubDAO being contributed to the Magpie treasury.

As of now, the Magpie ecosystem has 10 subDAOs, which can be divided into two main categories:

One category provides enhanced services specifically for veToken of DeFi protocols, such as Penpie based on yield tokenization, Cakepie from the DEX platform PancakeSwap, Wompie from the DEX platform Wombat Exchange, and Radpie from the multi-chain lending platform Radiant.

The other category focuses on services based on restaking LST or LRT, such as Listapie from the restaking protocol Lista DAO, Eigenpie from EigenLayer, Babypie from Babylon, and Sympie from Symbiotic.

Crypto KOL @CM previously stated that products in the Magpie ecosystem have entered the Pendle war, Cake war, Restaking war, and the upcoming Babylon war. Through subDAOs, they have gained governance resources from many mainstream DeFi protocols, making them a "workhorse" in the crypto space.

As of September 5, Magpie has accumulated over $1.3 billion in TVL across multiple protocols.

As a DeFi yield enhancement product in the Magpie ecosystem, the sudden security incident will undoubtedly make its ecosystem users cautious.

Shortly after the security was reported, Penpie quickly stated that it had identified the root cause and that all other protocols within the Magpie ecosystem remained secure and unaffected.

The Magpie official account also promptly posted on X platform, confirming that after multiple verifications, all other protocols within the Magpie ecosystem were secure and unaffected.

However, some community users expressed concerns that the newly launched Babylon-based BTC restaking product Babypie, which is currently advancing financing and preparing for IDO, might be affected by this incident.

ChainCatcher inquired with the Babypie team about the impact of this security incident.

The official community personnel stated that each SubDAO operates independently, and all funds in other subDAOs are secure (there are no similar vulnerabilities in other subDAOs), and they will recheck, test, and audit all of their subDAO contracts.