Two smart contract auditors miss a Penpie bug that resulted in a $27M exploit, Pythia Finance attacker claims way too many rewards: Crypto-Sec
Decentralized finance protocol Pythia Finance was drained of $53,000 via a reentrancy attack on Sept. 3, according to a report from blockchain security firm Quill Audits. Pythia is an algorithmic stablecoin project that aims to use artificial intelligence to manage its treasury.
The attacker called the claim rewards function repeatedly, without allowing the reward balance to be updated after each call, allowing them to collect more rewards than they were entitled to.
According to the report, the attacker was able to call this function repeatedly and in rapid succession because Pythia called the tokens safe transfer function when rewards were distributed. Thus, a malicious token contract could call back Pythia, causing Pythia to call it back again, and resulting in a chain reaction that could drain the protocols funds.
