Pike Finance Uninitialized Proxy
$1.9M drained from Pike Finance after uninitialized upgradeable contracts let an attacker seize ownership and drain CCIP-bridged assets.
- Date
- Victim
- Pike Finance
- Status
- Funds Stolen
In late April 2024, the cross-chain lending protocol Pike Finance was exploited twice within days for a combined several million dollars (the first incident ~$1.9M). The root cause: upgradeable contracts deployed but left uninitialized, allowing an attacker to call the initializer, seize ownership, and drain assets — including Chainlink CCIP-bridged funds — across Ethereum, Arbitrum and Optimism.
What happened
Pike's proxy contracts were deployed without their initializer being called atomically at deployment. An attacker called initialize themselves, becoming owner, then used owner privileges to drain protocol assets. A second exploit days later hit related uninitialized/over-privileged surfaces before the team fully secured the deployments.
Aftermath
- Pike paused, re-deployed with atomic initialization, and pursued recovery (limited).
- Repeat loss within days underscored incomplete first-response remediation.
Why it matters
Pike Finance is yet another unprotected/uninitialized initializer — the single most-repeated catastrophic Solidity pattern in the catalogue: Parity (2017), DODO (2021), Punk (2021), DAO Maker (2021), Audius (2022), Pike (2024). Seven-plus years; one-line mitigation (initializer modifier + atomic deploy-and-initialize). Pike's second loss days after the first also illustrates the catalogue's repeat-incident corollary: rushed remediation that doesn't address the systemic deployment-hygiene deficit invites the follow-up exploit.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024
- [02]merklescience.comhttps://www.merklescience.com/blog/hack-track-pike-finance-flow-of-funds-analysis
- [03]rekt.newshttps://rekt.news/pike-rekt