Penpie

2023-05-01

Penpie launches as the first sub-DAO under the Magpie ecosystem, built on Pendle Finance.

2024-05-01

Penpie introduces permissionless pool registration, allowing anyone to create Pendle markets — removing an access control that had previously mitigated reentrancy risk in the batchHarvestMarketRewards() function.

2024-09-03

At 6:23 PM UTC, the reentrancy exploit begins. Three attack transactions drain approximately $27.348 million in wstETH, sUSDe, agETH, and rswETH across Arbitrum and Ethereum.

2024-09-03

Within 20 minutes of the exploit, Pendle Finance pauses all contracts, preventing the attacker from executing a second malicious contract targeting the remaining ~$105 million.

2024-09-03

Penpie team visits Kampong Java Neighbourhood Police Centre in Singapore and files a police report.

2024-09-04

Penpie files a complaint with the FBI's Internet Crime Complaint Center (IC3) and sends an on-chain message to the attacker offering amnesty in exchange for return of funds.

2024-09-04

Attacker begins laundering stolen funds through Tornado Cash; approximately $7 million (26% of total) is laundered within 12 hours of the exploit.

2024-09-06

Euler Finance exploiter sends an on-chain congratulatory message to the Penpie attacker. Penpie offers a 10% bounty for information leading to the attacker's identification.

2024-09-06

Attacker transfers 7,262 ETH ($17.4 million) to an intermediary address; 5,600 ETH is then laundered through Tornado Cash.

2024-09-08

Attacker completes laundering of all remaining stolen ETH through Tornado Cash; full 11,261 ETH balance is confirmed laundered by PeckShield.

2024-10-07

Magpie publishes Penpie compensation plan proposing 27 million Safu Recovery Tokens (SRT) backed by 4% of MGP token supply, and launches Safupie insurance mechanism proposal. Protocol operations resume.