A recent exploit at DeFi protocol Pike Finance has been clarified, with the company stating that it was not caused by a USDC vulnerability, as previously mentioned.
In a statement released on May 1, Pike Finance acknowledged that the term “USDC vulnerability” was inaccurate for summarizing the exploit that occurred last week. The company explained that weaknesses in Pike’s contract functions, particularly issues related to the handling of transfers on Circle’s Cross-Chain Transfer Protocol (CCTP), were actually responsible for the incident.
The exploit, which resulted in significant losses for Pike Finance, was initially attributed to a USDC vulnerability following the first attack on April 26. However, the company later admitted that the root cause of the exploit was not related to the functionality of Circle’s USDC enabled by CCTP or Gelato, a smart contract automation protocol.
During the April 30 attack, 99,970.48 ARB, 64,126 OP, and 479.39 ETH were stolen, resulting in a loss of $1.7 million according to Certik data. The earlier attack on April 26 led to the loss of 299,127 USDC on Ethereum, Arbitrum, and Optimism.
The first attack was attributed to vulnerabilities in Pike’s contract functions related to USDC transfers on CCTP, which allowed attackers to change the receiver’s address and amounts. Despite being informed of the issue by its auditing partner, OtterSec, Pike Finance was unable to address the vulnerability before the attack.
The second attack occurred after Pike Finance upgraded its spoke contracts to pause the network, causing the contract to behave as if it were uninitialized. This allowed attackers to upgrade the contract, bypass admin access, and withdraw funds.
Pike Finance is just one of many DeFi projects that have been targeted by exploits, though recent reports suggest a decrease in losses from scams and exploits in April.
