Audit log

Every state-changing event for Pike Finance: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-01 17:48:45Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,640,367

   sig

   5sK5bhHbcJgs…4KXxdVhscopyexplorer ↗

   hash

   7Z4GdGfnyLGu…fDdVhbMxcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (18809 B) ▸

   {"actor":"system:backfill","investigation_id":"b1f3fb25-5fcd-4377-b433-917b184e949e","kind":"publish","page_slug":"pike-finance","published_at":"2026-06-01T17:48:45.011Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Pike Finance","sections":[{"content":"On April 26, 2024, an attacker exploited a vulnerability in Pike Finance's integration with Circle's Cross-Chain Transfer Protocol (CCTP) and the Gelato automation network. The protocol failed to perform proper input validation on the receiver address and transfer amounts passed through CCTP, allowing the attacker to manipulate both fields and redirect 299,127 USDC to their own wallet. On-chain analysis tracked the stolen funds being bridged from Arbitrum to Ethereum via Stargate and subsequently deposited into Tornado Cash from attacker address 0xAdaF1626aEC26A7937aE7d1Fa0664e6E0904C1d0. A small residual amount of ETH (0.043 ETH) was sent directly to a Binance deposit address. Pike Finance's auditing partner OtterSec had previously identified this vulnerability class in an audit, but according to Pike Finance's own post-exploit statement, 'Pike team was unable to address the identified vulnerability in a timely manner' before the attack occurred.","heading":"First Exploit — April 26, 2024 (~$299K USDC)","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Pike Finance Hack (April 2024) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024"},{"credibility":2,"name":"CertiK — Pike Finance Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/pike-finance-incident-analysis"},{"credibility":2,"name":"Merkle Science — Hack Track: Pike Finance Flow of Funds Analysis","type":"on_chain","url":"https://www.merklescience.com/blog/hack-track-pike-finance-flow-of-funds-analysis"},{"credibility":2,"name":"Protos — DeFi lender Pike Finance loses $1.9M to two hacks in less than a week","type":"news_article","url":"https://protos.com/defi-lender-pike-finance-loses-1-9m-to-two-hacks-in-less-than-a-week/"}]},{"content":"On April 30, 2024, between 21:45 and 22:20 UTC, Pike Finance suffered a second and larger attack draining approximately $1.68M across three chains: $1,433,977 on Ethereum (479.39 ETH), $150,459 on Optimism (64,126 OP tokens), and $100,070 on Arbitrum (99,970 ARB tokens). The root cause was a storage collision introduced during the emergency contract upgrade executed after the first exploit. When Pike's developers added pause and unpause functionality to the spoke contracts, the newly introduced boolean storage variables altered the contract's storage layout. Specifically, the slot previously occupied by the 'initialized' flag was overwritten by other variables, causing the proxy contract to behave as though it had never been initialized. This allowed the attacker to call initialize() a second time, assign themselves the isActive admin role, invoke upgradeToAndCall() to deploy a malicious implementation contract, and then drain all deposited funds. The attacker consolidated approximately 562 ETH in total (including ETH bridged from Arbitrum and Optimism) and routed the full amount into RAILGUN, a zero-knowledge privacy protocol, to obscure the money trail.","heading":"Second Exploit — April 30, 2024 (~$1.68M)","severity":"critical","sources":[{"credibility":2,"name":"CertiK — Pike Finance Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/pike-finance-incident-analysis"},{"credibility":2,"name":"Halborn — Explained: The Pike Finance Hack (April 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024"},{"credibility":2,"name":"Merkle Science — Pike Finance Flow of Funds Analysis","type":"on_chain","url":"https://www.merklescience.com/blog/hack-track-pike-finance-flow-of-funds-analysis"},{"credibility":2,"name":"Pike Finance on X — Official exploit announcement","type":"official","url":"https://x.com/PikeFinance/status/1785572875124330644"}]},{"content":"Pike Finance integrated Circle's Cross-Chain Transfer Protocol (CCTP) to enable native USDC transfers across chains, activating this functionality on April 24, 2024 — just two days before the first exploit. The protocol relied on Gelato's automation services to trigger CCTP-related contract calls but did not implement sufficient validation of the parameters passed through those calls. An attacker could forge or manipulate the receiver address and the USDC amount without the Pike contract detecting the tampering. Critically, Pike's auditing partner OtterSec had flagged this vulnerability class prior to launch; Pike Finance later acknowledged publicly that 'Pike team was unable to address the identified vulnerability in a timely manner.' After the first attack, Pike incorrectly characterized the incident as a 'USDC vulnerability,' which Circle disputed. Pike Finance subsequently issued a correction stating: 'The term USDC vulnerability was inaccurate for summarizing last week's exploit,' confirming the flaw resided entirely in Pike's own contract logic, not in Circle's CCTP or Gelato's systems.","heading":"CCTP Integration Vulnerability and Known Audit Finding","severity":"high","sources":[{"credibility":2,"name":"CryptoSlate — Pike Finance admits to error, denies fault of USDC","type":"news_article","url":"https://cryptoslate.com/pike-finance-admits-to-error-following-1-7-million-exploit-denies-fault-of-usdc/"},{"credibility":2,"name":"crypto.news — Circle-backed protocol Pike Finance loses $1.6m due to USDC vulnerability","type":"news_article","url":"https://crypto.news/circle-backed-protocol-pike-finance-loses-1-6m-due-to-usdc-vulnerability/"},{"credibility":3,"name":"Quadriga Initiative — Pike Finance USDC Withdrawal Vulnerability Case","type":"community_report","url":"https://www.quadrigainitiative.com/casestudy/pikefinanceusdcwithdrawalvulnerability.php"}]},{"content":"The second exploit illustrates a common failure mode in emergency DeFi incident response: a hasty patch that introduces a new vulnerability. After the April 26 exploit, the Pike team upgraded the spoke contracts to pause the protocol and introduce additional controls. This upgrade added new boolean state variables (for the pause/unpause mechanism) that, due to Solidity's sequential storage slot allocation rules, occupied the slot previously used by the 'initialized' flag in the proxy's storage layout. The result was a storage collision: from the perspective of the upgraded implementation contract, the protocol was uninitialized, even though it had been deployed and initialized earlier. Because upgradeable proxy contracts use delegatecall, storage state is read from the proxy contract's storage, not the implementation's — any misalignment between the proxy layout and the implementation layout causes state to be misread. The second attacker identified this misalignment and called initialize() to seize admin control, then replaced the implementation with malicious bytecode. Security analysts at Halborn and CertiK noted this type of issue is detectable through comprehensive storage-layout testing and proxy upgrade simulation prior to deployment — steps the Pike team did not take during the emergency response window.","heading":"Why the Second Attack Succeeded After the First","severity":"high","sources":[{"credibility":2,"name":"Halborn — Explained: The Pike Finance Hack (April 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024"},{"credibility":2,"name":"CertiK — Pike Finance Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/pike-finance-incident-analysis"},{"credibility":2,"name":"QuillAudits — Decoding Pike Finance Exploit","type":"research","url":"https://quillaudits.medium.com/decoding-pike-finance-exploit-quillaudits-40a1662d3f8a"}]},{"content":"Following the second exploit, Pike Finance paused the protocol and offered a 20% bounty for return of funds. No funds were returned. The team announced a plan to make all affected users whole: Pike used 4% of the total supply of its native $P token (drawn from the Community Treasury allocation) as collateral to borrow approximately $2M in stablecoins from the team treasury, which were used to purchase the relevant assets (ETH, ARB, OP) on the open market and reimburse users at their pre-exploit balances. Restitution was distributed directly to users' wallets — OP via Optimism, ARB via Arbitrum, ETH and USDC via Base. The team stated the $P collateral loan would be repaid as the protocol generates revenue following relaunch. The community received the announcement with mixed reactions; some participants publicly requested pre-sale refunds.","heading":"Protocol Response and User Reimbursement","severity":"medium","sources":[{"credibility":2,"name":"Protos — DeFi lender Pike Finance loses $1.9M to two hacks in less than a week","type":"news_article","url":"https://protos.com/defi-lender-pike-finance-loses-1-9m-to-two-hacks-in-less-than-a-week/"},{"credibility":2,"name":"Pike Finance Community Dashboard","type":"official","url":"https://community.pike.finance/"}]},{"content":"Pike Finance was founded in 2022 and describes itself as a natively cross-chain lending market enabling borrowing and lending of assets directly across multiple blockchains. The protocol is built on Wormhole's cross-chain message-passing infrastructure and Circle's CCTP for native USDC transfers, using a hub-and-spoke architecture. Pike secured $50,000 in seed funding from Circle and Wormhole in November 2023 to support its mainnet launch. The protocol launched its testnet in December 2023 and went live on beta mainnet in early April 2024 — weeks before the exploits. The protocol's GitHub organization is nutsfinance/pike-protocol. The team has not publicly disclosed the names of founders or core contributors; the protocol operates under the PikeDAO governance brand.","heading":"Protocol Background and Backers","severity":"low","sources":[{"credibility":2,"name":"crypto.news — Wormhole-backed cross-chain liquidity provider Pike debuts testnet","type":"news_article","url":"https://crypto.news/wormhole-backed-cross-chain-liquidity-provider-pike-debuts-testnet/"},{"credibility":2,"name":"The Defiant — Universal Liquidity Protocol Pike Finance Goes Live","type":"news_article","url":"https://thedefiant.io/news/defi/universal-liquidity-protocol-pike-finance-goes-live"},{"credibility":1,"name":"GitHub — nutsfinance/pike-protocol","type":"official","url":"https://github.com/nutsfinance/pike-protocol"}]},{"content":"Pike Finance relaunched following the April 2024 incidents, migrating to the Base network and introducing a native $P governance token. Community updates published in October and December 2024 reference a P Buyback Program and ongoing financial reporting through quarterly town halls. The protocol's website remains active as of mid-2025, advertising borrowing, lending, and trading of blue-chip assets. The relaunch represents a new deployment with an updated architecture; whether the smart contracts underlying the relaunch received a comprehensive independent audit before deployment has not been confirmed in publicly available sources.","heading":"Relaunch and Current Status","severity":"medium","sources":[{"credibility":2,"name":"Pike Finance official website","type":"official","url":"https://pike.finance/"},{"credibility":2,"name":"Pike Finance Community Update — October 2024","type":"official","url":"https://community.pike.finance/13b67c9632cd81b9a321da866f7b7a1d"}]}],"sources_used":[{"name":"Halborn — Explained: The Pike Finance Hack (April 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024"},{"name":"CertiK — Pike Finance Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/pike-finance-incident-analysis"},{"name":"Merkle Science — Hack Track: Pike Finance Flow of Funds Analysis","type":"on_chain","url":"https://www.merklescience.com/blog/hack-track-pike-finance-flow-of-funds-analysis"},{"name":"Protos — DeFi lender Pike Finance loses $1.9M to two hacks in less than a week","type":"news_article","url":"https://protos.com/defi-lender-pike-finance-loses-1-9m-to-two-hacks-in-less-than-a-week/"},{"name":"CryptoSlate — Pike Finance admits to error following $1.7 million exploit, denies fault of USDC","type":"news_article","url":"https://cryptoslate.com/pike-finance-admits-to-error-following-1-7-million-exploit-denies-fault-of-usdc/"},{"name":"crypto.news — Circle-backed protocol Pike Finance loses $1.6m due to USDC vulnerability","type":"news_article","url":"https://crypto.news/circle-backed-protocol-pike-finance-loses-1-6m-due-to-usdc-vulnerability/"},{"name":"crypto.news — Wormhole-backed cross-chain liquidity provider Pike debuts testnet","type":"news_article","url":"https://crypto.news/wormhole-backed-cross-chain-liquidity-provider-pike-debuts-testnet/"},{"name":"The Defiant — Universal Liquidity Protocol Pike Finance Goes Live","type":"news_article","url":"https://thedefiant.io/news/defi/universal-liquidity-protocol-pike-finance-goes-live"},{"name":"Pike Finance on X — Official exploit announcement","type":"official","url":"https://x.com/PikeFinance/status/1785572875124330644"},{"name":"QuillAudits — Decoding Pike Finance Exploit","type":"research","url":"https://quillaudits.medium.com/decoding-pike-finance-exploit-quillaudits-40a1662d3f8a"},{"name":"Quadriga Initiative — Pike Finance USDC Withdrawal Vulnerability","type":"community_report","url":"https://www.quadrigainitiative.com/casestudy/pikefinanceusdcwithdrawalvulnerability.php"},{"name":"Quadriga Initiative — Pike Finance Variable Storage Vulnerability","type":"community_report","url":"https://quadrigainitiative.com/casestudy/pikefinancevariablestoragevulnerability.php"},{"name":"GitHub — nutsfinance/pike-protocol","type":"official","url":"https://github.com/nutsfinance/pike-protocol"},{"name":"Pike Finance official website","type":"official","url":"https://pike.finance/"},{"name":"Pike Finance Community Dashboard","type":"official","url":"https://community.pike.finance/"}],"summary":"Pike Finance is a natively cross-chain lending protocol built on Wormhole's messaging layer and Circle's Cross-Chain Transfer Protocol (CCTP), which launched its beta mainnet in early 2024. Within days of launch, the protocol suffered two separate exploits on April 26 and April 30, 2024, draining approximately $299K and $1.68M respectively for a combined loss of roughly $1.98M. The first exploit stemmed from an improperly validated CCTP integration; the second arose from a storage layout corruption introduced during the emergency patch, allowing attackers to reinitialize and take over spoke contracts.","timeline":[{"date":"2022-01-01","event":"Pike Finance founded; begins development of cross-chain lending protocol on Wormhole and CCTP infrastructure.","source":"RootData","source_url":"https://www.rootdata.com/Projects/detail/Pike%20Finance?k=ODIzMg%3D%3D"},{"date":"2023-11-01","event":"Pike Finance secures $50,000 in seed funding from Circle and Wormhole to support mainnet launch.","source":"crypto.news","source_url":"https://crypto.news/wormhole-backed-cross-chain-liquidity-provider-pike-debuts-testnet/"},{"date":"2023-12-01","event":"Pike Finance launches testnet on Ethereum and its Layer 2 networks.","source":"crypto.news","source_url":"https://crypto.news/wormhole-backed-cross-chain-liquidity-provider-pike-debuts-testnet/"},{"date":"2024-04-01","event":"Pike Finance beta mainnet goes live. OtterSec audit has already flagged CCTP integration vulnerability; team has not patched it.","source":"The Defiant","source_url":"https://thedefiant.io/news/defi/universal-liquidity-protocol-pike-finance-goes-live"},{"date":"2024-04-24","event":"Pike Finance enables USDC withdrawals via CCTP, activating the vulnerable integration pathway.","source":"Quadriga Initiative","source_url":"https://www.quadrigainitiative.com/casestudy/pikefinanceusdcwithdrawalvulnerability.php"},{"date":"2024-04-26","event":"First exploit: attacker manipulates CCTP receiver address and amount, draining 299,127 USDC (~$299K) primarily from Arbitrum. Funds bridged to Ethereum and deposited into Tornado Cash.","source":"CertiK Incident Analysis","source_url":"https://www.certik.com/resources/blog/pike-finance-incident-analysis"},{"date":"2024-04-26","event":"Pike Finance pauses the protocol and begins emergency upgrade of spoke contracts to address the CCTP vulnerability. The upgrade inadvertently introduces a storage layout collision.","source":"Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-pike-finance-hack-april-2024"},{"date":"2024-04-30","event":"Second exploit: attacker exploits storage collision in the patched contracts, calls initialize() to seize admin access, upgrades implementation to malicious bytecode, and drains 479.39 ETH, 64,126 OP, and 99,970 ARB — totaling ~$1.68M across Ethereum, Optimism, and Arbitrum.","source":"Pike Finance official X announcement","source_url":"https://x.com/PikeFinance/status/1785572875124330644"},{"date":"2024-04-30","event":"Second exploit funds (~562 ETH consolidated across chains) are routed into RAILGUN, a zero-knowledge privacy protocol, obscuring the on-chain trail.","source":"Merkle Science","source_url":"https://www.merklescience.com/blog/hack-track-pike-finance-flow-of-funds-analysis"},{"date":"2024-05-01","event":"Pike Finance offers 20% bounty for return of stolen funds. No funds are returned. Team announces plan to reimburse all affected users using $P token treasury collateral.","source":"Protos","source_url":"https://protos.com/defi-lender-pike-finance-loses-1-9m-to-two-hacks-in-less-than-a-week/"},{"date":"2024-05-01","event":"Pike Finance issues correction clarifying that the term 'USDC vulnerability' was inaccurate; acknowledges the root cause was Pike's own improper integration of CCTP, not a flaw in Circle's protocol.","source":"CryptoSlate","source_url":"https://cryptoslate.com/pike-finance-admits-to-error-following-1-7-million-exploit-denies-fault-of-usdc/"},{"date":"2024-10-21","event":"Pike Finance publishes community update, indicating relaunch on Base network and introduction of $P token with buyback program.","source":"Pike Finance Community","source_url":"https://community.pike.finance/13b67c9632cd81b9a321da866f7b7a1d"},{"date":"2024-12-09","event":"Pike Finance announces quarterly town hall covering financial updates and P Buyback Program, signaling continued active development.","source":"Pike Finance Community","source_url":"https://community.pike.finance/update-2024129"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision fb0df7ef-a0b7-465a-9163-2a69812f267bcopy