Penpie lost over $20m because of reentrancy attack.
Reward amount is calculated using token balance before and after redeeming rewards. If someone can deposit tokens in “redeemRewards” function, reward amount is deposited token amount. Hacker deployed his own market before attack.
https://app.blocksec.com/explorer/tx/eth/0x7e75…21d1
Then, hacker called “batchHarvestMarketRewards” function with his own market.
As you can see in picture, reentrance occurs. Using this, he could deposit tokens in “redeemRewards” function.
Balance after “redeemRewards” was much bigger than before calling function, and hacker could get much more rewards.
There’s reentrance check in deposit function, but “batchHarvestMarketRewards” function doesn’t check reentrance.
I think all functions should check reentrancy for safety.
Leave a Reply