Pike Finance has issued a clarification regarding a recent statement on a vulnerability linked to USDC Coin (USDC) following a $1.6 million exploit on their platform on April 30.
Initially, on May 1, Pike attributed the exploit to a USDC-related vulnerability reported on April 26, stating it directly impacted their network. They later revised their statement, clarifying that the exploit was due to security lapses within their own contract functions related to the Cross-Chain Transfer Protocol (CCTP), a service associated with USDC’s issuer, Circle, and not due to Circle’s products themselves.
Pike further explained that the actual cause of the exploit stemmed from their team’s failure to properly integrate third-party technologies, such as CCTP and Gelato Network’s automation services. They acknowledged that this improper integration was previously identified by their auditing partner, OtterSec, on April 26, but the necessary corrections were not made in time to prevent the exploit.
The breach led to the theft of $300,000 in digital assets initially, with a subsequent attack on April 30 exploiting the same vulnerability to drain approximately $1.68 million across various blockchains, including Ethereum, Arbitrum, and Optimism. This second attack resulted in losses of $1.4 million in Ether, $150,000 in Optimism (OP) tokens, and around $100,000 in Arbitrum (ARB) tokens.
Pike confirmed that both incidents were due to the same underlying smart contract vulnerability, which allowed the attackers to circumvent administrative controls and withdraw funds.
Despite these setbacks, the broader context shows a decline in the losses due to crypto-related hacks, with April witnessing a decrease in hack-related losses to $60 million, down from $360.8 million in February and $187.6 million in March, according to PeckShield’s data.