Pike, a decentralized finance (DeFi) protocol, has provided a clarification regarding a vulnerability discovered in USDC Coin (USDC) after experiencing a $1.6 million exploit. The protocol initially stated that the exploit was related to a vulnerability in USDC, but later retracted the statement, acknowledging that it did not accurately describe the nature of the exploit.
Pike has now clarified that the exploit was caused by security lapses in its contract functions when using the Cross-Chain Transfer Protocol (CCTP) provided by USDC-issuer Circle. They emphasized that the root cause of the exploit is unrelated to the functionality of Circle’s product offerings.
In a previous announcement, Pike mentioned that their auditing partner had identified the vulnerability that led to the initial hack on April 26, but their team was unable to address it. They attributed the exploit to the “improper integration” of third-party technologies like CCTP and Gelato Network’s automation services.
The initial attack resulted in the theft of $300,000 worth of digital assets. Subsequently, on April 30, an attacker exploited the protocol’s smart contract, draining approximately $1.68 million across Ethereum, Arbitrum, and Optimism. The attacker took $1.4 million in Ether (ETH), $150,000 in Optimism (OP), and about $100,000 in Arbitrum (ARB) tokens. Pike acknowledged that both attacks were due to the same smart contract vulnerability, which allowed the attackers to bypass admin access and withdraw funds.
While hacks continue to be a concern in the crypto space, data indicates that losses from crypto-related hacks significantly decreased in April compared to February and March. PeckShield reported that losses from hacks in April amounted to $60 million, a significant drop from February’s $360.8 million and March’s $187.6 million.