Pickle Finance
HackedDeFi · $PICKLE · born 2020 · ✝ 2020
A yield aggregator tricked by a fake jar.
Pickle Finance was a yield-aggregation protocol exploited in November 2020 through its vault ("pJar") system. The attacker used a malicious, unvetted jar and a swap exploit to drain DAI from the protocol's strategies.
- Peak
- ~$19.7M stolen
- Cause
- Hacked
- Year of death
- 2020
☠️ Cause of death
A vault swap exploit let the attacker route funds through a fraudulent jar contract and drain Pickle's DAI strategies.
📓 Lessons left behind
- —Whitelist every contract a vault is allowed to interact with.
- —Composability multiplies the surface for swap exploits.
- —Validate strategy targets before routing user funds.
🌱 The idea that survived
Strategy whitelisting
Pushed yield protocols to strictly whitelist and audit the contracts their vaults can call.
#defi#yield#vault#logic-bug