Circle-backed Protocol Pike Finance Loses $1.6m Due To USDC Vulnerability

Decentralized protocol for cross-chain lending Pike Finance has suffered a $1.6 million loss due to weak security measures in functions managing USDC transfers.

Pike Finance, a decentralized finance protocol specializing in cross-chain lending, fell victim to a hacking attack, resulting in a significant loss of over $1.6 million worth of altcoins. In an X post on May 1, the project’s official account said that the Pike Beta protocol was exploited on Ethereum, Arbitrum, and Optimism, losing 99,970.48 ARB, 64,126 OP, and 479.39 ETH.

According to the Pike Finance team, the exploit is related to the “USDC vulnerability,” which previously cost the protocol $299,127 in stolen USDC across Ethereum, Arbitrum, and Optimism. In a post-mortem report on Apr. 28, the team said that Pike Finance lost the assets “due to weak security measures in functions managing USDC transfers” via cross-chain transfer protocol.

“Specifically, the critical flaw was in functions designed for burning USDC on a source chain and minting on a target chain (automated by Gelato’s automation services). Inadequate protection of this function allowed attackers to manipulate receiver’s address and amounts, which were processed by Pike protocol as valid.”

Pike Finance

This time, the vulnerability led to a “misalignment in storage mapping,” which caused the protocol’s smart contract to behave in a different way, allowing attackers to bypass admin access, and as a result, withdraw funds. The team also announced a 20% reward for the return of the funds, or to those who can provide “information leading to the recovery of funds.”

Launched in 2023, Pike secured $50,000 in funding in USDC from Circle and Wormhole to help the protocol launch its mainnet in early Q1 of 2024. Pike Finance is a cross-chain liquidity provider, which offers users an option to supply and borrow native assets on different blockchain and sidechain networks.