Pickle Finance Hack
Incident Overview
An attacker exploited Pickle Finance's ControllerV4 by deploying malicious smart contracts, leading to a loss of 19M DAI.
The attacker deployed two smart contracts with malicious logic, which were used to retrieve the amount available to withdraw from StrategyCmpdDaiV2. The ControllerV4.swapExactJarForJar() function was invoked, which doesn't check the Jars and calls them, withdrawing from StrategyCmpDAIV2. This transferred 19M DAI to pDAI.
The attacker then called pDAI.earn() three times, leading to a Compound deposit and the contract receiving cDAI. Three more smart contracts with malicious logic were deployed and the ControllerV4.swapExactJarForJar() function was invoked again, leading to the withdrawal of cDAI and transferring them to ControllerV4. The funds were then transferred to the attacker's smart contract, which redeemed cDAI for DAI from Compound and transferred DAI to the attacker's EOA.
The attacker's address:
https://etherscan.io/address/0x75aa9550…abe0f9
https://etherscan.io/address/0x02c83645…111ee6
The transaction behind the attack:
https://etherscan.io/tx/0xe72d4e7b…1087b0
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Pickle Finance, these are the critical security checks that could have prevented this incident (November 2020).
- Verify all logic paths related to Other are guarded by proper access controls and input validation
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialSecurity Audit History
- Audit Report 1 Report
Sources & References
Learn to Prevent the Next Pickle Finance
The Pickle Finance hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.