Pike Finance: Storage Layout Collision → Unauthorized Proxy Upgrade / Ownership Takeover
Pike Finance was exploited twice in four days — the second time using the same root vulnerability introduced by the emergency patch deployed to fix the first: a storage layout collision that left proxy contracts re-initializable and ownership stealable.
Summary #
Pike Finance suffered a Lending / Cross-chain Liquidity Market on 2024-04-26, resulting in a loss of approximately $2M.
What happened #
Pike Finance was exploited twice in four days — the second time using the same root vulnerability introduced by the emergency patch deployed to fix the first: a storage layout collision that left proxy contracts re-initializable and ownership stealable.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — emergency patch introduced the bug; original audit did not cover post-patch code]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (emergency patch)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — emergency patch deployed after first exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — emergency upgrade between attacks introduced the storage collision]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]