< Return

The $26 Million PenPie Exploit How Blaz+ Protects You in Real-Time

October 23, 2024



In September 2024, PenPie was hit with a massive reentrancy attack, resulting in a loss of over $26 million. As DeFi continues to expand, the need for real-time on-chain security is more critical than ever. This incident shows why traditional audits aren’t enough—and why 24/7 on-chain penetration testing, like Fuzzland’s Blaz+ Analysis, is the future of DeFi security.


What is a Reentrancy Attack?

A reentrancy attack takes advantage of the order in which a smart contract processes its functions, letting an attacker repeatedly call a function before the contract updates its state. This loophole can be exploited to drain funds from a vulnerable protocol. Ethereum’s security guide offers a detailed breakdown of how reentrancy attacks work. 

In the PenPie exploit, the attacker manipulated the _harvestBatchMarketRewards function, inflating rewards and draining funds. If you want a deeper dive into how reentrancy attacks operate, check out Binance Academy’s guide.


How the PenPie Exploit Unfolded

Here’s a closer look at how the $26 million attack on PenPie played out:

  • Fake Markets: The attacker set up fake markets using counterfeit tokens, which appeared legitimate.
  • Exploiting Reentrancy: By abusing the reentrancy flaw in the _harvestBatchMarketRewards function, they were able to claim inflated rewards over and over.
  • Laundering Funds: After the exploit, the stolen $26 million was funneled through Tornado Cash, a popular tool for obfuscating transactions.

How Blaz+ Protects Against Reentrancy Attacks

Traditional audits often miss vulnerabilities like the one that hit PenPie. That’s where Fuzzland’s Blaz+ suite steps in, offering 24/7 protection.

Blaz+ Analysis: Constant Vigilance

Blaz+ Analysis provides 24/7 on-chain penetration testing, designed to detect vulnerabilities like reentrancy flaws. Using AI, fuzzing, and formal verification, Blaz+ constantly scans your smart contracts and analyzes every transaction to keep them secure.

Blaz+ Alert: Instant Notifications

The moment Blaz+ Analysis spots a vulnerability, Blaz+ Alert sends out real-time notifications. These alerts integrate into your existing workflow so you can act fast, preventing an exploit before it happens.

Blaz+ Mitigation: Stopping Attacks in Their Tracks

If an attack is already underway, Blaz+ Mitigation jumps into action. It monitors the mempool in real time, using advanced techniques like frontrunning and back-running to block or neutralize malicious transactions before they can cause damage.


Don’t Wait for the Next Exploit

Attacks like the one that hit PenPie are a reminder that DeFi protocols need real-time, on-chain security. With Fuzzland’s Blaz+ suite, you can detect and prevent vulnerabilities before they become exploits.

About Fuzzland

Founded by a global team of security experts, Fuzzland is redefining smart contract security through proactive and reactive attack prevention. Leveraging industry-first techniques—including 24/7 on-chain penetration testing, AI-powered fuzzing, and formal verification—Fuzzland provides round the clock protection for decentralized networks. Our solutions don’t just identify vulnerabilities; they actively safeguard blockchain ecosystems by preventing potential breaches and setting new standards for reliability in the Web3 space. Join the Web3 security revolution with Fuzzland. Follow Fuzzlands work and get in touch today: Website | X | LinkedIn