On September 3, 2024, Penpie — a yield optimiser built on top of Pendle Finance — was exploited for approximately $27 million through a classic reentrancy gap in its Pendle integration.
What happened
Pendle's PendleMarket contract allows external integrators to register their own market reward "plugins". Penpie's plugin called Pendle to issue rewards on behalf of users — and during that call, control flow could be re-entered by the attacker before the plugin's accounting was updated.
The attacker registered a malicious Pendle market they controlled, then triggered a reward-claim. During the callback, they re-entered the plugin and claimed the same rewards repeatedly against the same accounting state. The exploit drained pegged-asset balances across multiple Pendle pools that Penpie was integrated with.
Aftermath
- Penpie paused integration with Pendle and announced a compensation plan for affected depositors using protocol revenue.
- Pendle itself was not directly compromised, but added stricter callback restrictions on third-party reward plugins as a defence-in-depth measure.
- Funds were not recovered.
Why it matters
The reentrancy class of bug is more than a decade old, but plugin / hook architectures keep recreating the conditions for it — every time a protocol calls out to integrator code mid-state-transition, the same risk reappears. Penpie was a reminder that the rule isn't "audit your contracts"; it's "treat every external call as a potential reentry point until checks-effects-interactions can prove otherwise."
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/year-in-review-the-biggest-defi-hacks-of-2024
- [02]medium.comhttps://medium.com/coinmonks/top-5-crypto-hacks-of-2024-more-than-2-billion-lost-36crypto-559a481eff9c