This blog post will be updated as new events develop.
Updated at Nov-22–2020 09:45 PM (UTC)
Technical details of the hack have been published by Banteg in collaboration with the Pickle Finance team and a number of other white hats. We encourage all who are interested in the matter to read that document.
At 2020–11–22 3:15 PM (UTC), a Timelock transaction was executed to grant the Pickle Finance Governance multi-sig wallet the ability to immediately revoke the offending code.
At 2020–11–22 3:16 PM (UTC), the offending proxy logic was revoked from the Controller, which was required for the identified attack vector
Deposits in other Jars may resume safely. However, please refrain from depositing in the DAI Jar for now.
We want to thank the DeFi community for their support in this difficult time. The entire Pickle Finance community appreciates your efforts.
On 2020–11–21 06:37 PM (UTC), Pickle’s pDAI PickleJar was hacked and 19,759,355 DAI was drained. Shortly after, a group of white hat hackers approached the core team and began working to figure out the situation.
The first step was to reverse-engineer the transaction and see if we can write the code to replicate the attack. After many hours, the team (now totalling more than 10 people) finally figured it out how it was executed:
This was a very complicated attack and involved many components of the Pickle protocol. As of right now, it does not seem that any other funds are at risk.
While we work on the fix to remove the attack vector, the white hat group has decided that we should not publish any details of the actual attack yet. Although we have taken steps to mitigate further attacks, we do not want to tempt fate in the mean time.
Once the fix is in, estimated to be around 2020–11–22 15:00 UTC, we shall have more to disclose.
Contributors to Pickle have made reasonable efforts at ensuring the integrity of the protocol including tests. Pickle is completely valueless and has 0 financial value. Anyone who chooses to engage with these contracts, including the Pickle token contract and the staking contracts, are doing so at their own risk. You should perform your own due diligence.