Phishing attack by hackers
At the end of Saturday, one of Pickle Finance's liquidity pools lost $20.16 million. Unknown hackers placed stolen funds at the address of their purse.
DeFi project developers don't know what kind of code vulnerability hackers used, smart contract successfully passed security audit by MixBytes and Haechi.
Pickle Finance is one of the most popular and useful platforms on the market of decentralized finance, especially mentioned by Vitalik Buterin.
Each Pickle Jap liquidity pool is an automated strategy aimed at maximizing from harvest by investing farmers' funds according to a given algorithm. Another advantage of the investment strategy of the platform is the averaging of gas costs across all liquidity pools, which significantly reduces the cost of a single farmer.
The main specialization of Pickle Finance is arbitration of stablcoins produced by various DeFi protocols. Smart contract automatically increases the investment in the type of token, which is in the maximum deviation from the dollar rate.
A farmer can also exchange and transfer different types of stablcoin from one Jap pool to another with a single click, gaining arbitrage profits. This was the reason for the attack, according to white hackers.
The attacker created a phishing pool of Pickle Jap, synchronizing the exchange code with the pool of pJar, focused on the Compound platform, and then exchanged fake tokens for DAI. Stabilcoins obtained by phishing operation were converted to ETH and outputted to the hacker's own wallet.
Managing director of Pickle Finance Peter Wyszenko said: "Stolen funds were kept motionless for 8 hours. It is not excluded that the attacker conducted a demonstrative attack". Pickle Finance urges the farmers to take all the funds from Jap pools during the trial until the vulnerability is addressed.