Pickle Finance Exploited For $20m - Decentralise #32

What Happened and Why I'm Still a Pickler

Nov 22, 2020

98.09% growth: How to Buy Pickle Finance (PICKLE) — A Step by Step Guide | by Crypto Buying Tips | Sep, 2020 | Medium

A Sad Day for Pickles

Pickle’s latest jar was completely drained for $20m DAI.

I know, I said I wasn’t covering hacks. But this one is kind of personal.

I’ve been a big fan of the positivity of the Pickle community and developers. Hanging out in the discord channel you can immediately pick up on it. It’s always a vibrant, good-natured and informative conversation, and it almost never stops.

And so my thoughts go out to all Picklers today. Not only did $20m of user funds get drained, the exploit caused mass selling and the price of one pickle to crash 60% to $9.

Losing money is an awful feeling, but believe me, it get’s better with time.

So what happened?

The tl;dr is that an attacker managed to create a fake jar and trick the system into draining all DAI in a newly launched unaudited jar to their own account.

The actual process is far from easy to understand, so we’ll have to wait for a full explanation. Luckily there’s a team of white hats delving deep into what happened, including some of the brightest minds in this space.

Pickle have put out an official blog that will be updated within a few hours with a detailed breakdown. Until then users have been advised to remove all funds from the protocol.

In the meantime here are some of the highest quality analyses I’ve come across:

orb_x_ball @orbxball

1/ I saw many wrong tweets about the @picklefinance exploit. Let me try to explain it. It's not an economic exploit. It's more like a traditional CTF combining all coincidence. More details in the following threads. TL;DR 👇This precisely describes how the exploit works.

Kerman @kermankohli

Quick explanation of how the recent @picklefinance exploit happened: Building in DeFi can be brutal.

Pickle Power

I’ve seen a few people pointing out that users of any ‘foodcoin’ get what they deserve. I’ve even seen members of the Pickle community turn against their friends and distance themselves from the project.

I’d like to state that I think this is an incredibly narrow mindset and highly reductive. This sort of exploit can literally happen to any DeFi project. We’re building incredibly complex financial systems with moving parts and multiple attack vectors, and the sad reality is these exploits are an unfortunate part of this ecosystem’s growth cycle.

There are two solutions available. The first is to never deposit any funds you’re not willing to lose. Everyone’s heard that, but following through is a step few take. The second is to get coverage and protect yourself. I recently wrote about the upcoming Umbrella insurance from Yam, but there are decentralised services already available to keep your DeFi safe, and they’re not expensive. Nexus Mutual comes to mind.

And so my thoughts on Pickle haven’t changed, and I know this strong community will bounce back better. Go easy on yourself guys, and I hope everyone’s doing OK.

Join the Discord.

Stay up to date.