Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 015Smart Contract Bug

Pickle Finance Fake-Jar Drain

$19.76M DAI drained from Pickle Finance after the attacker created two fake 'Jar' contracts and exploited a missing whitelist check in swapExactJarForJar.

Date
Victim
Pickle Finance
Chain(s)
Ethereum
Status
Funds Stolen

On November 21, 2020, the yield-aggregator protocol Pickle Finance lost 19.76 million DAI (~$19.76M at the time, given DAI's peg) in a multi-stage exploit that PeckShield characterised as the most complex DeFi attack of 2020. The bug: the protocol's "Jar" contracts trusted any caller to identify what was a legitimate Jar and what was not.

What happened

Pickle Finance used a "Jar" abstraction — a yield-bearing vault representing user deposits in different DeFi strategies. The ControllerV4 smart contract managed these Jars and exposed a function swapExactJarForJar() that let users move funds between strategies.

The vulnerability had two halves:

  1. swapExactJarForJar() did not validate whether the supplied "Jar" arguments were on a whitelist of legitimate Pickle Jars. Any contract claiming to be a Jar was accepted.
  2. The function also failed to verify that the strategy backing each Jar was authentic, allowing attacker-controlled code to be invoked in the privileged-call path.

The attack:

  1. Deployed two fake "Jar" contracts that exposed the expected Jar interface but were entirely attacker-controlled.
  2. Called swapExactJarForJar() with the legitimate pDAI Jar as the source and the fake Jar as the destination.
  3. The ControllerV4 contract obediently withdrew DAI from the real StrategyCmpdDaiV2 (Pickle's Compound DAI strategy) and deposited it into the attacker-controlled "Jar", which simply forwarded the DAI to the attacker.
  4. Drained 19.76 million DAI from the strategy in a single transaction.

Aftermath

  • Pickle Finance paused affected contracts and shipped emergency patches.
  • The PICKLE governance token dropped ~50% intraday on the news.
  • The protocol survived but never returned to its pre-incident TVL; Pickle eventually rolled into a partnership with Yearn ("Pickle ↔ Yearn cooperation").
  • The funds were laundered through Tornado Cash; no recovery.

Why it matters

Pickle is one of the earliest case studies for the fake-contract injection class of bug — when a privileged operation accepts contract addresses as parameters, every one of those addresses must be validated against an authoritative whitelist, not assumed legitimate based on interface conformance. The same class of vulnerability has recurred at protocols ranging from Cashio (Solana, 2022) to Hedgey Finance (Ethereum, 2024).

Pickle is also noteworthy for showing that complexity in DeFi protocols compounds in attack surface. Yield aggregators that route across multiple sub-strategies — each with its own contract interface, deposit/withdraw flow and trust assumptions — multiply the number of ways an attacker can slip a malicious contract into the routing path.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-defi-protocol-pickle-finance-hack-nov-2020
  2. [02]immunebytes.comhttps://immunebytes.com/blog/pickle-finance-exploit-nov-21-2020-detailed-analysis/
  3. [03]blog.peckshield.comhttps://blog.peckshield.com/2020/11/21/pickle/

Related filings