Punk Protocol: Unprotected initialize() — delegateCall Forge Address Override
Punk Protocol's $8.95M annuity hack came down to a single missing modifier — an `initializer` guard on `initialize()` that let attackers redirect all protocol funds to their own contract.
Summary #
Punk Protocol suffered a Yield / Annuity Protocol on 2021-08-10, resulting in a loss of approximately $9M.
What happened #
Punk Protocol's $8.95M annuity hack came down to a single missing modifier — an `initializer` guard on `initialize()` that let attackers redirect all protocol funds to their own contract.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unknown (likely unaudited — no audit mentioned)]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched]
- RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: Days old (Fair Launch, just opened)]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — built on Compound infrastructure]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — built on Compound infrastructure]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — protocol just launched]