DeFi project Pickle Finance exploited for $20 million

Another day, another DeFi exploit. On Saturday, November 21st, the DeFi project ‘Pickle Finance’ was exploited for $19.7 million. This is the fourth DeFi exploit to take place within just two weeks with the Akropolis ($2 million), Value DeFi ($7.4 million), and Origin protocol ($7.7 million) exploits proceeding it.

But unlike the three DeFi exploits that took place before it, analysts are not sure how the Pickle Finance exploit took place. Some speculate that it was yet another flash-loan attack–the same type of exploit that led to the Akropolis, Value DeFi, and Origin Protocol exploits–however, others are saying that the exploit was more complex than the typical flash-loan attack.

In addition in the second invocation for swapExactJarForJar there were passed a target and doing a delegate call to CurveProxyPool 😢

Really complex and is not using at all FlashLoans!https://t.co/6HetsSmdbm pic.twitter.com/RVVyy39IAG

— emiliano.oO ⚡️⛓️ (@emilianobonassi) November 21, 2020

Later on, The Pickle Finance team announced that they figured out how the exploit took place, that it’s very complex, and that it took their dev team nearly four hours to figure it out.

Next steps for the Pickle Finance team

As a result of the exploit, the Pickle Finance team recommended that its liquidity providers withdrawal their funds from any Pickle Finance pool until the issue is solved. 

Shortly after they recommended withdrawals, the Pickle Finance team claimed to have patched the attack vector and said that providing liquidity in any Pickle Finance pool–except its DAI pool–was once again safe.

High risk, low reward

As time goes on, it is becoming clear that DeFi investments are no longer high-risk high reward ventures, but rather, high risk, low reward ventures. Although more money continues to pour into the DeFi sector, the new capital is not being allocated to meme coins like $PICKLE, instead, it is going to legitimate DeFi use-cases like decentralized borrowing and lending.

DeFi related crime is on the rise, and three DeFi projects were the victims of flash-loan attacks in the last 14 days. Considering that many DeFi projects have simply copy and pasted the code of other projects, it would not be surprising to see even more projects become the victim of flash-loan attacks.

The best way to stay dry in a time when attackers are looking to exploit DeFi projects and separate investors from their funds is to stay out of the DeFi space. The few dollars you could make from investing in these hobby projects is not worth all the money you could lose through the project’s attack vectors.