{"id":117364,"date":"2020-11-22T00:14:14","date_gmt":"2020-11-21T21:14:14","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/pickle-in-a-pickle-as-attacker-swipes-20-million-in-evil-jar-exploit\/"},"modified":"2020-11-22T00:14:14","modified_gmt":"2020-11-21T21:14:14","slug":"pickle-in-a-pickle-as-attacker-swipes-20-million-in-evil-jar-exploit","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/pickle-in-a-pickle-as-attacker-swipes-20-million-in-evil-jar-exploit\/","title":{"rendered":"# $pickle in a pickle as attacker swipes $20 million in \u201cevil jar\u201d exploit"},"content":{"rendered":"<p>&#8220;<strong># $pickle in a pickle as attacker swipes $20 million in \u201cevil jar\u201d exploit  <\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjAtMTEvM2Y1Y2I2YzItNmVkMS00ZmQ3LTg0MzMtZmQwMTE5OTAzMzljLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-5a136f3a>In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million.\u00a0<\/p>\n<p>The <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0xe72d4e7ba9b5af0cf2a8cfb1e30fd9f388df0ab3da79790be842bfbed11087b0\">attack<\/a> transpired roughly two hours ago, and ETH-savvy <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> users were quick to notice that pickle\u2019s cDAI jar \u2014 Pickle\u2019s term for a yield-bearing vault \u2014 had been emptied:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I think <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/picklefinance?ref_src=twsrc%5Etfw\">@picklefinance<\/a>&#8216;s cDAI jar just got attacked and drained. <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/t.co\/Lxwi2dWSSZ\">https:\/\/t.co\/Lxwi2dWSSZ<\/a> <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/t.co\/nUBE1KjEPh\">pic.twitter.com\/nUBE1KjEPh<\/a><\/p>\n<p>\u2014 mattyb (@mattybchats) <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/mattybchats\/status\/1330226503028797446?ref_src=twsrc%5Etfw\">November 21, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>Unlike other recent attacks however, this particular exploit did not feature flashloans \u2014 an increasingly maligned DeFi tool that allows would-be exploiters additional liquidity with which to manipulate on-chain prices. Instead, this hacker sw<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed funds between a malicious copycat contract and the cDAI jar.\u00a0<\/p>\n<p>In an interview with Cointelegraph, Emiliano Bonassi \u2014 a self-described whitehat hacker and the co-founder of DeFi Italy \u2014 explained that the attacker created \u201cevil jars, \u201d smart contracts which \u201chave the same interface of traditional jars but do bad things.\u201d<\/p>\n<p>The attacker then swapped funds between his \u201cevil jar\u201d and the real cDAI jar, making off with the $20 million in deposits.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Evil jars deployed during the attack and passed in the swapExactJarForJar, investigating more on this<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/t.co\/szRloiecV8\">https:\/\/t.co\/szRloiecV8<\/a><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/t.co\/l2xT4zhQB1\">https:\/\/t.co\/l2xT4zhQB1<\/a><\/p>\n<p>The are sensible ops executed in that method (e.g. approve, withdraw etc). <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/t.co\/29RNkF4vJb\">pic.twitter.com\/29RNkF4vJb<\/a><\/p>\n<p>\u2014 Emiliano Bonassi | emiliano.eth (@emilianobonassi) <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/emilianobonassi\/status\/1330239233538318339?ref_src=twsrc%5Etfw\">November 21, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Particularly after the attack on Harvest Finance, Pickle Finance had looked to be on its way towards becoming one of the preeminent farming protocols. As of press time, Pickle\u2019s stats website reported nearly $75 million total value locked remaining on the books, while the price of pickle, Pickle Finance\u2019s governance token, is down 50% on the day to $11.16.<\/p>\n<p>Pickle Finance\u2019s woes are just the latest in a troubling trend across the DeFi space. Recent exploit victims in just the last few weeks include Harvest Finance, Value DeFi, Akropolis, Cheese Bank, and Origin Dollar, among others. <\/p>\n<p>Perhaps, however, the vulnerabilities of one DeFi vertical might lead to the success of another. Said one Twitter trader: <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Security audits are a meme.<\/p>\n<p>The new &#8220;audit&#8221; will be having proper insurance coverage.<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24Nsure&amp;src=ctag&amp;ref_src=twsrc%5Etfw\">$Nsure<\/a> <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24Cover&amp;src=ctag&amp;ref_src=twsrc%5Etfw\">$Cover<\/a><\/p>\n<p>\u2014 Cope_Infinitum (@CryptoMessiah) <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/CryptoMessiah\/status\/1330249824399208449?ref_src=twsrc%5Etfw\">November 21, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener noreferrer\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/pickle-in-a-pickle-as-attacker-swipes-20-million-in-evil-jar-exploit\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# $pickle in a pickle as attacker swipes $20 million in \u201cevil jar\u201d exploit &#8221; In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million.\u00a0 The attack transpired roughly two hours ago, and ETH-savvy Twitter users were quick to notice&#8230;<\/p>\n","protected":false},"author":1,"featured_media":117365,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/3f5cb6c2-6ed1-4fd7-8433-fd011990339c.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74868,74891,74882,79529,70944],"class_list":["post-117364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-defi","tag-ethereum","tag-hacks","tag-smart-contract","tag-hackers"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/117364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=117364"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/117364\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/117365"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=117364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=117364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=117364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}