In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million.
The attack transpired roughly two hours ago, and ETH-savvy Twitter users were quick to notice that pickle’s cDAI jar — Pickle’s term for a yield-bearing vault — had been emptied:
— mattyb (@mattybchats) November 21, 2020
Unlike other recent attacks however, this particular exploit did not feature flashloans — an increasingly maligned DeFi tool that allows would-be exploiters additional liquidity with which to manipulate on-chain prices. Instead, this hacker swapped funds between a malicious copycat contract and the cDAI jar.
In an interview with Cointelegraph, Emiliano Bonassi — a self-described whitehat hacker and the co-founder of DeFi Italy — explained that the attacker created “evil jars, ” smart contracts which “have the same interface of traditional jars but do bad things.”