Penpie

Hacked

DeFi · born 2023 · ✝ 2024

A Pendle yield-aggregator robbed by a fake market.

Penpie was a yield aggregator built on Pendle, letting users boost returns from tokenized yield markets. In September 2024 an attacker registered a malicious Pendle market and exploited Penpie's reward-claim logic to drain ~$27M.

Peak: ~$27M stolen
Cause: Hacked
Year of death: 2024

☠️ Cause of death

Penpie failed to validate that new Pendle markets were legitimate before integrating them. The attacker's fake market passed reward checks, letting them mint unbacked PNP rewards and drain underlying assets.

📓 Lessons left behind

—Composable DeFi means your attack surface is everyone else's contracts.
—Allowlisting markets is not optional when rewards are permissionless.
—Yield boosters amplify returns and exploit blast radius equally.

🌱 The idea that survived

Curated composability

Yield protocols tightened market allowlists and on-chain verification after Penpie proved composability without curation is a bug bounty.

#defi#yield#composability#pendle