Pickle Finance Loses $20 Million In DeFi Exploit

613

In the latest of a long string of decentralized finance protocol exploits, Pickle Finance lost as much as $20 million in an attack on its DAI farms this weekend.

The DeFi protocol posted that hackers exploited its DAI ‘pickejar’ strategy and that it was looking into the incursion. In what appears to be another flash loan attack, almost $20 million in DAI has been stolen.

DeFi researcher Nick Sawinyh [@sawinyh] simplified the attack with this diagram. It suggests that the hacker deployed ta malicious jar in order to leech the funds from the genuine ones.

Pickle Finance started advising users to unstake their tokens and withdraw from the protocol.

“We’re encouraging all LPs to withdraw their funds from the Jars until the issues have been resolved.”

At the time of writing the last update on its twitter feed was twelve hours ago with withdrawal instructions, but no further information. The attack follows similar flash loan exploits for Origin Protocol’s OUSD and Harvest Finance.

What a Pickle

Pickle Finance’s model brought the four largest stablecoins​ USDT, DAI, USDC, and sUSD closer to their peg. Pickle used liquidity farms and ‘pVaults’, which were rebranded to ‘pJars’ or pickle jars.

Using an ethos of ‘Off-peg bad, on-peg good,’ Pickle incentivized users to sell stablecoins trading above their peg and buy ones that are below it.

When a stablecoin is above peg, the protocol distributes fewer PICKLE tokens to that pool and more to others. Yield farmers chasing the best returns react to the sell and buy pressure for the overvalued and undervalued stablecoins.

Triple digit yields proved irresistible to the degen farmers that flocked to the protocol since its mid-September launch. Although Pickle Finance claims it has had two independent audits it appears not to have made much of a difference.

Bitcoiner and Morgan Creek Digital co-founder, Anthony Pompliano, was quick to stick the knife in.