Security Incident
On September 4th, the DeFi protocol Penpie, built on top of Pendle, was hacked, resulting in the theft of approximately $27 million worth of crypto assets, including various forms of staked Ethereum, Ethena’s sUSDE, and wrapped USDC stablecoins.
According to Certik, this was the largest reentrancy attack in 2024, and the third largest since January 2021, following the Grim Finance hack (~$40 million in December 2021) and the Vyper vulnerability incident (~$52 million in July 2023).
Despite Penpie’s attempt to negotiate with the hacker—offering to discuss a bounty and forgo legal actions if the funds were returned—by September 8th, the hacker had deposited the remaining 1,661 ETH (~$3.77 million) into Tornado Cash. This suggests that the $27 million stolen (converted to 11,261 ETH) has been fully laundered through Tornado Cash, and the likelihood of recovery is near zero.
Many had never heard of Penpie until the hack, but in reality, Penpie was a pioneering success within the Magpie ecosystem as the first successful subDAO model, setting the foundation for other subDAOs like Eigenpie, which later gained broader recognition.
So, what exactly does the Penpie protocol do? And after this security breach, does it still hold any competitiveness? Let’s explore.
Protocol Mechanism
Penpie operates on the Pendle platform. Without diving too deeply into Pendle’s various mechanisms, let’s summarize the key aspects to clarify the relationship between Pendle and Penpie.
Pendle offers three main ways to participate:
- Holding PT (Principal Token) to gain fixed income.
- Holding YT (Yield Token) to speculate on uncertain returns.
- Providing liquidity (LP) for SY-PT pairs (SY: a wrapper token of the original asset, where SY = PT + YT).
YT and PT appeal to players with different risk appetites, helping protocols integrated with Pendle increase TVL (Total Value Locked). Sustaining high TVL growth requires ample SY-PT liquidity to ensure low slippage for generating new PT and YT. To attract liquidity providers (LPs), Pendle offers incentives in the form of PENDLE tokens.
By holding enough vePENDLE (1 PENDLE locked for 4 years equals 1 vePENDLE, 2 years equals 0.5 vePENDLE, and so on), LPs can boost their PENDLE rewards by up to 2.5 times.
But what if you don’t own PENDLE and still want to maximize LP returns? You can deposit your LP tokens into Liquid Lockers or Yield Boosters like Penpie or StakeDAO, which lock PENDLE and hold large amounts of vePENDLE, helping you increase your LP returns in exchange for a cut of the rewards and external third-party bribes.
In short, Penpie helps liquidity providers on Pendle boost their yields without locking up PENDLE tokens.
Penpie’s Current Standing
From the above analysis, it’s clear that Penpie’s fundamental competitiveness hinges on the amount of vePENDLE it holds. The more vePENDLE, the more LPs (and larger amounts) it can help, leading to higher TVL growth and income for Penpie.
So, after the security incident, does Penpie still have a competitive edge? The answer is a resounding yes.
Penpie did not lose any of its vePENDLE holdings in the hack and remains the largest PENDLE token holder, with over 12 million vePENDLE (37.59% of the total), which exceeds the combined holdings of its competitors, Equilibria and StakeDAO.
From a purely functional perspective, Penpie can still offer higher yields for the remaining assets on the platform (over $100 million in Pendle LP tokens).
However, confidence must be rebuilt, and the affected users will need to be compensated for their losses.
Future Outlook
For Penpie, its core asset—vePENDLE, the golden goose—remains intact, which is fortunate. However, it now needs to stabilize and provide a fair compensation plan for users who suffered asset losses. Potential solutions could include issuing compensation bonds or recovery tokens, which may require PNP token holders to sacrifice some of their returns, prioritizing compensation for those affected by the hack.
In the short term, PNP token price movements may struggle, but once Penpie’s functionality is restored, and the code is secured, it remains a fundamentally healthy and practical DeFi protocol.