Security vulnerabilities in DeFi protocols Pythia Finance and Penpie caused a loss of $90 million, and security issues are becoming increasingly serious

On 3 September, decentralized finance protocol Pythia Finance was hit by a reentrancy attack that drained $53,000 from its funds. Pythia, an algorithmic stablecoin project that utilises artificial intelligence to manage its treasury, fell victim to this exploit due to a flaw in its “claim rewards” function.

The attacker repeatedly called this function without allowing the system to update the reward balance after each call, enabling them to collect rewards beyond their entitlement. The vulnerability was linked to Pythia’s use of the token’s “safe transfer” function during reward distribution. A malicious token contract exploited this by causing Pythia to engage in a loop, draining the protocol’s resources.

related reading：Trump’s digital real estate plan is made public, launching The DeFiant Ones encryption platform to promote the tokenization of real-world assets (RWA

Quill Audits, a blockchain security firm, reported on the incident, noting that their partial audit for Pythia showed no unresolved security issues, suggesting that the team may have addressed the flaw post-attack. Reentrancy attacks, such as this one, remain a prevalent threat in the smart contract domain, where attackers manipulate a function before its code execution is complete.

Screenshot of Pythia partial audit report. (Pythia / X).

Zyxel Networking Devices Expose Users to Potential Hacks

Meanwhile, networking hardware manufacturer Zyxel disclosed a critical vulnerability on 4 September, which could have allowed attackers to execute code on users’ routers and access points. The vulnerability arose from improper neutralisation of elements within the CGI program, potentially enabling unauthorised command execution through crafted cookies.

This flaw presents a significant risk for crypto wallet users, as compromised home networks could lead to DNS spoofing, data interception, and social engineering attacks. Zyxel has released a list of affected devices and urged users to update their firmware to mitigate this risk.

related reading：RDX Works, Developer of Radix DeFi Platform, Implements 15% Staff Reduction Amidst Cost-Cutting Measures

Penpie Exploit Results in $27 Million Loss

Another major incident in the DeFi space involved the Penpie protocol, which suffered a $27 million exploit on 3 September. According to a report by Zokyo, the flaw lay in a function that allowed any user to create a Pendle Market. This loophole enabled the attacker to create a fake market and pool, which were manipulated to generate valuable rewards.

The attacker exploited a reentrancy flaw in Penpie’s system, repeatedly calling the deposit function to inflate rewards before withdrawing the deposit. The vulnerability had existed in an earlier version of the protocol but was exacerbated by changes that allowed anyone to register a new pool, a feature introduced after Zokyo’s audit.

Penpie’s team acknowledged the issue, attributing the exploit to an oversight during separate audits conducted by different security firms. Moving forward, they plan to implement periodic audits to prevent future incidents.