Pickle Finance Hack

TOTAL LOST $19.7M
High Other ethereum

Summarize with AI

Affected Chain ethereum Incident surface
Recovered - No recovery reported
All-Time Rank #236 By amount stolen
Auditors 1 Prior security audit

Incident Overview

An attacker exploited Pickle Finance's ControllerV4 by deploying malicious smart contracts, leading to a loss of 19M DAI.

The attacker deployed two smart contracts with malicious logic, which were used to retrieve the amount available to withdraw from StrategyCmpdDaiV2. The ControllerV4.swapExactJarForJar() function was invoked, which doesn't check the Jars and calls them, withdrawing from StrategyCmpDAIV2. This transferred 19M DAI to pDAI.

The attacker then called pDAI.earn() three times, leading to a Compound deposit and the contract receiving cDAI. Three more smart contracts with malicious logic were deployed and the ControllerV4.swapExactJarForJar() function was invoked again, leading to the withdrawal of cDAI and transferring them to ControllerV4. The funds were then transferred to the attacker's smart contract, which redeemed cDAI for DAI from Compound and transferred DAI to the attacker's EOA.

The attacker's address:

https://etherscan.io/address/0x75aa9550…abe0f9

https://etherscan.io/address/0x02c83645…111ee6

The transaction behind the attack:

https://etherscan.io/tx/0xe72d4e7b…1087b0

Incident Report

Protocol / Project Pickle Finance
Date of Incident
Affected Chain(s) ethereum
Attack Technique Other
Classification Yield Aggregator

Protocol Information

Protocol Type Yield Aggregator
Affected Token PICKLE
Official Website www.pickle.finance/
Protocol Twitter/X @picklefinance
Team Anonymous
Source Code Unverified

Market Context at Time of Hack

Token Categories
DeFi DAO Ethereum Ecosystem Yield Farming Yield Aggregator Yearn Partnerships Alameda Research Portfolio Arbitrum Ecosystem

What the Attacker Needed to Succeed

Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.

Technical Knowledge Deep understanding of other and Solidity and EVM internals
Capital Required Seed capital to cover gas and initial position setup
On-Chain Access Ability to interact with ethereum smart contracts and deploy a custom exploit contract
Protocol Analysis Identification of the exploitable vulnerability in Pickle Finance's contract logic - root cause: yield aggregator
Execution Speed Precise transaction ordering and timing to exploit the vulnerability within a single atomic block
Obfuscation Plan A strategy to launder and move stolen funds - typically through mixers, cross-chain bridges, or decentralized DEX swaps to resist tracing

What Auditors Should Check

Could this have been caught in audit? Likely — with a thorough Other audit checklist and test coverage
Audited by Audit Report 1 — still lost $19.7M. Prior audits don't guarantee safety, especially after post-audit code changes.

If you're auditing a protocol with similar architecture to Pickle Finance, these are the critical security checks that could have prevented this incident (November 2020).

  • Verify all logic paths related to Other are guarded by proper access controls and input validation
  • Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs

Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.

Free Trial

Security Audit History

Sources & References

Learn to Prevent the Next Pickle Finance

The Pickle Finance hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.

Recreate exploit patterns safely Free Trial