Skip to main content
Sign in

Penpie

avoid.net/penpiexyz20/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2T9nhX…Bnqj

Summary

Penpie is a yield optimizer and vote-escrowed liquidity layer built on top of Pendle Finance, developed by the Magpie XYZ team. On September 3, 2024, the protocol was exploited for approximately $27 million through a reentrancy vulnerability in its batch reward harvesting function, compounded by a permissionlessly registered fake Pendle market. The attacker laundered substantially all stolen funds through Tornado Cash within days, rejecting a negotiated bounty offer from the Penpie team.

Connected Entities

1 entities · 10 linked investigations
Organizations
Penpie
Relationships
    Also appears in
    edgeX Exchange·28Mach-O Man Malware Campaign (Lazarus / Chollima)·2Gamma Strategies·28Bunni Protocol·28BitGrail·2Thorchain DEX·14Crossmint·78Access Protocol·47Orca·80KuCoin Exchange Hack·32

    Connected Through

    1 shared actor · 1 investigation

    Distinct actors this investigation shares with others — holders, traders, and named parties. Shared infrastructure (exchanges, pools) is excluded.

    Have evidence about Penpie?

    Timeline(9 events)

    2023-01-01

    Zokyo completes security audit of PendleStaking contract. At this time, pool registration is owner-only, limiting the exploitability of the reentrancy path.

    Zokyo Post-Mortem Analysis

    2024-05-01

    Penpie introduces permissionless pool registration, allowing any user to register a Pendle market with the protocol. AstraSec audits the new registration contracts in isolation; the PendleStakingBaseUpg contract is excluded from scope.

    CoinTelegraph Crypto-Sec; Zokyo Post-Mortem

    2024-09-03

    Attacker funds exploit address with 10 ETH via Tornado Cash. Three exploit transactions execute between approximately 6:25 PM and 6:42 PM UTC. Approximately $27 million (11,113.6 ETH) is drained via reentrancy on batchHarvestMarketRewards using a fake Pendle market. Penpie and Pendle pause contracts within minutes. PNP token falls ~40%; PENDLE falls ~9%.

    CoinDesk; Rekt.news; The Record

    2024-09-03

    Penpie team files police report at Kampong Java Neighbourhood Police Centre in Singapore. Team sends on-chain message to attacker offering negotiated bounty and promising no legal action if funds are returned.

    The Record (Recorded Future News)

    2024-09-04

    Penpie files complaint with the FBI's Internet Crime Complaint Center (IC3). VPN IP address from attack is submitted to Singapore Technology Crime investigator.

    The Record (Recorded Future News)

    2024-09-04

    Within 12 hours of the attack, the attacker launders approximately $7 million (5,600 ETH) through Tornado Cash, representing roughly 26% of stolen funds.

    CoinTelegraph; DeFi Planet

    2024-09-06

    Attacker transfers 7,262 ETH (~$17.4 million) to an intermediary address and continues routing funds through Tornado Cash.

    Bitcoinist; DailyCoin

    2024-09-10

    Attacker completes laundering of substantially all stolen funds — approximately 11,261 ETH — through Tornado Cash. Bounty offer is effectively rejected.

    DailyCoin

    2024-10-07

    Magpie XYZ publishes PIP #15, the formal recovery plan for affected users, introducing Safu Recovery Tokens (SRT) and the Safupie insurance sub-DAO.

    Magpie Governance Forum; The Defiant
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/1/2026, 5:48:34 PM

    last updated: 6/4/2026, 5:44:52 PM

    avoid.net — verified advice for a post-truth world