Pickle Finance Hack 2020 — $20M Exploit Analysis

Pickle Finance's DAI jar (vault) was drained via a sophisticated exploit using counterfeit jars and swapping logic to extract DAI.

Details

Full Description

The attacker created a malicious 'evil jar' contract that mimicked Pickle Finance's official jar interface. By exploiting a flaw in the swap logic between jars, the attacker convinced the protocol to transfer 19.7M DAI from the cDAI jar to the evil jar. The exploit required deep understanding of Pickle's architecture and multiple Yearn-inherited components.

Laundering Analysis

The 19.7M DAI was converted to ETH and routed through Tornado Cash in large batches. Pickle Finance and Yearn Finance collaborated on a post-mortem and compensation plan. Yearn's Andre Cronje helped identify the vulnerability. The attacker was never identified, and funds were not recovered.

Sources

Transaction Hashes

Related Hacks

Back to Browse