Pickle Finance Hack - November 21, 2020
Overview
Pickle Finance was hacked on Saturday Nov 21, 2020, draining $19.7 million in DAI, a decentralized stablecoin pegged to the U.S. dollar, from a Pickle wallet. A malicious actor stole exactly $19.7M from the pDAI PickleJar liquidity pool.
The Attack Mechanism
The attack was very sophisticated and leveraged on some design flaws and especially on a feature that enables direct swaps between Jars (vaults). The methodology behind this hack involved the exploitation of two critical bugs in the ControllerV4 smart contract, specifically related to input validation and arbitrary code execution.
The ControllerV4 contract had a significant flaw in its
swapExactJarForJar function. This function failed to properly validate whether the Jars provided as input were legitimate or part of the Pickle Finance ecosystem. The attacker utilized this bug to create two fake Jars and passed them as arguments to the swapExactJarForJar function. Due to the lack of validation, the contract processed these fake Jars, which led to the unauthorized withdrawal of all invested DAIs (19.76M) from the legitimate StrategyCmpdDaiV2 Jar.Market Impact
The price of Pickle's native token (PICKLE) fell 50.12% to $10.17 on the news.
Response
Immediately after the attack on the DeFi protocol, the team joined forces with some white hat hackers to figure out the matter.
Sources