693c14cc-8eeb-479f-a589-1c24ea3d4556.jpg

DeFi gets its first merger after a devastating hack, Nov. 18–25

Finance Redefined is Cointelegraph’s weekly DeFi-centric newsletter, delivered to subscribers every Wednesday.

On Saturday, we saw one of the most complex smart contract hacks yet affecting Pickle Finance, a yield optimization protocol very similar to Yearn — an important point for later.

PeckShield provided a technical explanation for it, but I think only Solidity developers can really understand it.

The high-level take is that the hacker found two textbook examples of code vulnerabilities in the “pickle jars” — the protocol’s term for yield strategy contracts. One was failure to check if the jar is actually supported, which resulted in the hacker deploying an “evil jar” that the system believed to be legitimate. The other flaw was a “remote” code execution vulnerability that allowed the hacker’s contract to call functions as if it were the Pickle administrator contract.

The hacker basically just instructed the smart contract to give them all the money it held. The loot is the entirety of the affected Dai jar, worth about $20 million.

A few developers including Banteg, a core Yearn team member, assisted the Pickle team in triaging the vulnerability. Not that there was much that could be done — the money was gone, and this hacker was not so gracious as to return money to “nurses” affected by the hack.

This was perhaps the first high-profile usage of DeFi insurance. Cover Protocol, which provided some Pickle users with coverage in case of disastrous events like this, paid out $320,000 worth of claims in full after a five-day deliberation.