Dear Penpie Community,

On September 3, 2024, Penpie experienced a sophisticated attack, resulting in the theft of 11,113.6 ETH, valued at approximately $27.3 million, from users across the Ethereum and Arbitrum networks. The attacker exploited a vulnerability within the PendleStakingBaseUpg::batchHarvestMarketRewards() function, using a malicious SY contract to repeatedly harvest market rewards, draining a significant portion of the platform’s assets.

Immediate Mitigation Steps

In collaboration with Pendle Finance, external security experts, and law enforcement, we have taken immediate steps to mitigate further damage:

• Paused all contracts on Penpie and Pendle to prevent additional malicious activity.
• Secured approximately $70 million that could have been at risk of being drained.
• Initiated investigations and collaboration with law enforcement and security partners to track the stolen funds and identify the attacker.

Despite these efforts, we understand that the incident has caused significant loss and disruption to our users. You can read the detailed Post Mortem for a full breakdown of the hack and our mitigation steps. We are committed to addressing this situation responsibly and ensuring that the community is involved in the resolution process.

Penpie and Magpie Financial Overview

To provide a clearer picture of both Penpie and Magpie’s financial standing and their impact on the current situation, we are sharing the following detailed information:

Penpie Financials

• Initial IDO Raised Funds: +$600,000 (raised through Penpie IDO on Camelot)
• Seed Liquidity Allocation: -$240,000 (allocated for PNP liquidity on DEX)
• Audit Expenses: -$112,900 (allocated for audits conducted by AstraSec, WatchPug, and Zokyo)
• Penpie Re-Audit Cost: -$140,000 (allocated for a re-audit currently being conducted by BlockSec, PeckShield, AstraSec, Zokyo, SlowMist and Hacken)
• Security Collaboration: -$112,500 (allocated for collaboration with security firms to track and freeze stolen funds. Based on cost projections from similar past cases.)
• Operational Expenses: -$375,000 (allocated for employee salaries, marketing, and business development over a 15-month period.)
• Penpie Treasury Balance: -$380,400 (Penpie cannot be fully sustained by the funds raised from the IDO, and the current deficit is being covered by the Magpie Treasury.)

Magpie Financials

• Strategic Sale Raised Funds: +$1,000,000 (raised through strategic round)
• IFO Raised Funds: +$1,750,000 (raised through the IFO on PancakeSwap)
• Audit Expenses: -$313,600 (allocated for audits conducted by PeckShield, Zokyo, AstraSec, BlockSec, and Supremacy for Magpie and its SubDAOs that have not yet held their TGE, including Eigenpie, Babypie, Campie, Listapie, and Sympie.)
• Operational Expenses: -$690,000 (Funds allocated for Magpie employee salaries, marketing, and business development over a 23-month period.)
• Operational Expenses from SubDAO: -$950,000 (allocated for employee salaries, marketing, and business development over a 12-month period for SubDAOs that have not yet held their TGE, including Eigenpie, Babypie, Campie, Listapie, and Sympie.)
• Penpie Extra Expenses: -$380,400 (to cover the Penpie Treasury deficit)
• Magpie Treasury Balance: $416,000 (operational funds left in Magpie Treasury)

To further clarify the financial health and ongoing operations of both Magpie and Penpie, we have summarized the key data points, including bribes and emissions:

Magpie and Penpie Revenue Overview

• vlMGP SubDAO Rewards: $208,690 /month (past 3-month average)
• SubDAO Treasury Allocation ( vested over 2 years)
  • Penpie 20%
  • Radpie 20%
  • Cakepie 15%
  • Campie 20%
  • Eigenpie 15%
  • Babypie 20%
  • Listapie 20%
  • Sympie 20%

Penpie

• Pendle Emission Revenue: +52,260 PENDLE /month (past 3-month average)
  • PENDLE emission to mPENDLE pool: 28,505 PENDLE
  • PENDLE emission to Treasury: 11,877 PENDLE
  • PENDLE emission to vlPNP: 11,877 PENDLE
• vlPNP Bribes: +$88,519.33 /month (past 3-month average)
• vePendle Rewards: +193 ETH /month (past 3-month average)
  • vePENDLE base rewards: 82 ETH
  • vePENDLE voter rewards: 111 ETH
• Treasury Holdings: as of September 12th
  • 32,492 PENDLE
  • 295,528 PNP (via buyback)
  • 71.5 WETH
  • 67,758 mPENDLE
  • 23,313 ARB
  • 16,281 CAKE
  • $626,349 mPENDLE/PENDLE LP on PancakeSwap
  • $110,374 mPENDLE LP on Penpie

For further details on Magpie and Penpie’s revenue, including more information on protocol fees, bribes, and emissions, we invite you to explore the Revenue Dashboard as well as the Penpie Treasury Wallet address.

Buyback Program Overview

Here is a brief overview of our ongoing buyback program, which was approved by the community vote on June 10, 2024. This program plays a key role in supporting the stability and growth of the Penpie ecosystem:

1. 100% of vePENDLE base rewards are allocated to buying back PNP, which is added to the Treasury, strengthening the protocol’s asset reserves.
2. 50% of vePENDLE voter rewards are used to buy back PENDLE and supply it as liquidity for the mPENDLE/PENDLE pair. This ensures the peg between mPENDLE and PENDLE remains stable while also building protocol-owned liquidity.
3. 20% of PENDLE emissions to the mPENDLE liquidity pool are used to buy back and burn mPENDLE, reducing its circulating supply.

• Total Buybacks Stats:
  • 295,528 PNP
  • $626,349 mPENDLE/PENDLE liquidity
  • 156,762 mPENDLE burnt

Community Involvement: Compensation Suggestions

We are reaching out to you, our valued users, to gather your suggestions on how compensation should be handled. Your input will be invaluable in helping us design a compensation plan that is fair and effective.

Here’s how you can participate:

• Submit your ideas on compensation strategies by commenting on the Governance Forum under this thread.

Guidelines for Suggestions:

• Propose feasible and community-driven solutions.
• Be clear and detailed in your proposals, explaining how your suggested solution addresses fairness and the scale of losses.
• You may post your suggestions in English, Chinese, or Spanish.

Deadline for Submissions

Important: Please submit your suggestions by [SEPTEMBER 21st] to ensure your participation in shaping the compensation plan.

After this deadline, the Team will draft a compensation plan and post it in the official forum for community feedback and discussion. Once finalized, the plan will be submitted to Snapshot for a governance vote.

We deeply appreciate your engagement, trust, and ongoing support during this challenging time. Our team remains fully committed to finding the best solution possible.

Thank you for being an essential part of the Penpie community.

— The Penpie Team

Proposed Penpie Hack Compensation Plan

Dear Penpie Team and Community,

As victims of the recent hack, we propose the following compensation plan:

TLDR : Team raises a minimum of 8 mills from magpie TGE(s) + 5 mills over a year (partners or other solutions)
Cashflow towards debt token PDT (110% goal)
ETA 2 years

1. Tradable Debt Token (PDT - Penpie Debt Token)

• Issue PDT to victims, representing 110% of ETH value lost. (Extra % can be voted on; we suggest 10% to be conservative)

• PDT should accrue yield over time, continuing even after the initial 100% compensation is reached.

Reasoning for 110% accrual:

1. Extended Value Proposition: Allowing PDT to accrue beyond the initial loss creates an incentive for holders to retain their tokens even after full compensation.

2. Speculative Value: Continued fee accrual from MAGPIE increases the open market value of PDT, potentially leading to a higher valuation due to future yield expectations.

3. Long-term Alignment: This mechanism aligns our interests with the long-term success of the MAGPIE ecosystem, encouraging ongoing engagement and support.

4. Market Liquidity: The extended yield potential may increase PDT’s attractiveness in secondary markets, potentially providing better liquidity for holders who wish to exit earlier.

5. Trust Restoration: Offering compensation beyond 100% demonstrates the team’s commitment to not just making us whole, but providing additional value as a gesture of goodwill.

This approach aims to transform this negative event into a potentially positive long-term opportunity for us, while also supporting the recovery and growth of the Penpie and MAGPIE ecosystems.

2. Cashflow Allocation

• Allocate a percentage of revenue from all Magpie SubDAOs and Penpie to PDT holders.

• We propose an initial allocation of 50% of all revenues.

• The exact percentage should be determined by community vote.

3. TGE Treasury Allocation

• Use treasury allocations from upcoming TGEs (Eigenpie, Babypie, Campie, Listapie, Sympie) to raise funds via OTC sales.

• Funds raised should be used to support Penpie’s recovery and our compensation.

• LP tokens from these sales will be vested to us (hack victims) while they earn fees for the MAGPIE treasury in the safest pool possible. This strategy maximizes the funds raised from TGEs and other avenues, ensuring a robust and sustainable compensation mechanism.

• The initial $8,000,000 estimated from TGE treasury allocations will be distributed among the ETH-affected pools to balance their loss percentages.

TGE Allocation Distribution (ETH pools only)

Based on the data from affected pools

1. Kelp agETH: 76.6% loss, 2494.76 ETH lost ≈ $5,737,948

Total pool before loss: $5,737,948 / 0.766 ≈ $7,490,793

2. Swell rswETH: 66% loss, 2755.62 ETH lost ≈ $6,337,926

Total pool before loss: $6,337,926 / 0.66 ≈ $9,602,918

3. stETH: 100% loss, 3502.12 ETH lost ≈ $8,054,876

Total pool before loss: $8,054,876

Total compensation needed: $20,130,750

Proposed distribution of $8,000,000 TGE allocation with weighted loss percentages:

1. stETH weight: 100^2 = 10000

2. Kelp agETH weight: 76.6^2 = 5868

3. Swell rswETH weight: 66^2 = 4356

Total weight: 20224

Distribution:

1. stETH: $8,000,000 * (10000 / 20224) = $3,955,200

2. Kelp agETH: $8,000,000 * (5868 / 20224) = $2,321,600

3. Swell rswETH: $8,000,000 * (4356 / 20224) = $1,723,200

Final distribution:

1. stETH: $3,955,200 (reduces loss to 50.9%)

2. Kelp agETH: $2,321,600 (reduces loss to 45.6%)

3. Swell rswETH: $1,723,200 (reduces loss to 48.4%)

Total allocated: $8,000,000

After this TGE distribution:

• stETH: 50.9% loss

• Kelp agETH: 45.6% loss

• Swell rswETH: 48.4% loss

Remaining Loss After TGE Distribution:

1. Kelp agETH (ETH): $3,416,348

2. Swell rswETH (ETH): $4,614,726

3. stETH (ETH): $4,099,676

4. Ethena sUSDe: $3,065,026 (unchanged)

5. gUSDC (ARB): $331,943 (unchanged)

Total remaining loss: $15,527,719

Proposed Compensation Timeline

Based on current projections and this proposed plan:

• Immediate Compensation: 34% of our total losses covered by TGE treasury allocations ($8,000,000).

• Remaining Loss after TGE: $15,527,719

• Ongoing Compensation: ~2.89% of our remaining losses repaid monthly through revenue sharing ($448,944/month).

• Additional Compensation: Minimum $5,000,000 raised from other SubDAOs and other revenue streams over 6-12 months.

• Expected Full Compensation: Within 20-24 months, factoring in the additional SubDAO contributions and ongoing revenue.

Financial Breakdown

1. Revenue Allocation (monthly):

• vlMGP SubDAO Rewards: $208,690

• Penpie vlPNP Bribes: $88,519

• vePendle Rewards: 193 ETH ≈ $443,900 (using current ETH price of $2,300)

• Pendle Emission Revenue: 52,260 PENDLE ≈ $156,780 (assuming 1 PENDLE = $3)

• Total Monthly Revenue: $897,889

• 50% allocation to PDT holders: $448,944

• Monthly compensation rate: ($448,944 / $15,527,719) * 100 ≈ 2.89%

2. TGE Treasury Allocation (one-time):

• Estimated total from 5 upcoming TGEs: $8,000,000

• Immediate compensation rate: ($8,000,000 / $23,527,719) * 100 ≈ 34%

3. Additional Buybacks:

• We request the team commits to raising at least $5,000,000 in the next 6-12 months for accelerated buybacks.

• Compensation rate: ($5,000,000 / $15,527,719) * 100 ≈ 32.2%

Ongoing Compensation

After the initial distribution, the ongoing compensation from revenue sharing and additional fundraising efforts will be distributed among all affected pools proportionally via the PDT until full compensation is achieved.

Estimated time to full compensation:

• Initial TGE compensation: 34%

• Remaining to be compensated: 66%

• Additional buybacks: 32.2% of remaining (21.25% of total)

• Left after buybacks: 44.75% of total

• Monthly compensation rate: 2.89% of remaining (1.91% of total)

• Estimated months to full compensation after buybacks: 44.75 / 1.91 ≈ 23.4 months

Total estimated time: 20-24 months (accounting for potential variations in revenue and additional fundraising efforts)

Could someone explain to me why PNP and mPENDLE holders have to pay for the developers’ mistakes ?

People who lost money in the hacked pools came to take advantage of the boosted yields, which are boosted precisely because of those who provided their PENDLE to the protocol.

The proposal mentioned in the previous post, if even partially accepted, will bury Penpie and the entire Magpie ecosystem, along with the PNP and mPENDLE holders. People who come to DeFi are well aware of the disclaimers that state they are taking on the risk of losses when investing their money, and nowhere in those disclaimers does it say that the project will attempt to compensate them if their funds are stolen at the cost of its own survival.

If anyone should be responsible for paying for this hack, it’s the employees who made the mistakes, starting with the product managers who got too caught up in stamping out subDAOs, chasing after all the hyped narratives, and neglecting additional audits and security, and the developers who missed such an error. It seems like the Four Eyes Principle didn’t work here (if you even apply it), which raises questions about the competence of the developers and the employees who hired and oversee them.

What consequences await Penpie if you refuse to offer compensation? Terrible, but at least the project will survive. The crypto community has a very short memory, people have continued using hacked protocols even after more catastrophic events.

I think some points need to be clarified first:

1. All magpie private investors, including locked subdao governance token holders (vlpnp vlmgp vlckp vlrdp vlegp…), locked version token holders (mpendle mcake mdlp mwom…… .). They have no reason to be responsible for the loss of funds caused by the theft of the Penpie protocol. When we discuss compensation, we must first clarify the responsible party, which should be borne by Magpie.
   If the private wallet of Magpie Company has these tokens pledged to obtain income, you can request that these income be used as compensation for the theft of Penpie. This is a reasonable request.
2. Similarly, the interests of vlmgp should not be affected in any way, because this is not the private property of Magpie Company, but the property of individual investors. Similarly, if Magpie Company has corresponding vlmgp assets, the income they create available for compensation.
3. Once again, when discussing the compensation plan, we must first clarify the responsible party for compensation. It is very ridiculous to make all subdao users pay for the theft of penpie. They have no responsibility for the theft of penpie.

I second gr1zz’s advice that a Penpie Debt Token should be created, I am not so optimistic about how much percentage can be compensated immediately so the token should be there until 110%(said by him) is compensated using project’s part of profit in the future, no matter it’s 2 years, 5 years or even longer.

I propose that the Magpie and Penpie team make a deal with VCs to obtain the amount to be compensated as soon as possible while offering them a part of the profits from the Penpie protocol.

This approach is a compromise that allows victims to be compensated quickly, while not sacrificing the ecosystem as a whole by using funds that were intended for ecosystem growth.
This also allows to free from debt tokens which would make the whole project bear the weight of past errors over a very long period of time.

To make this proposal a reality, the team will have to make a call for tenders by proposing a percentage of the profiles generated by the protocol that remains to be determined over a period that remains to be determined. The VC Team that proposes the lowest percentage of profit over a shortest period in exchange for the compensation funds would win the call for tenders.

Thank for your time

I second kitell and swixxx.

The first responsible party is the hacker, the second responsible party is the mgp team.

vlpnp, vlckp, etc, The user’s ve token treasure has nothing to do with The persons who lost their money in Lp.
We’re sorry that you lost your money but that has nothing to do with our treasure.

Stay away from our treasure.

You should go to the first responsible party and second responsible party, instead of trying to take advantage from innocent vl token holders.

I’ll mostly reply to gr1zz, since he represents the view of a big share of the money lost during the hack.

I of course agree that the victims should be compensated. However I think that several demands are way too big.

1/ PDT: A tradable debt token is in my opinion a must-have. It has been very efficient during past hacks, and it lets people who need money fast exit quickly. However, asking for a 110% reimbursement is out of the question. The goal should be to reimburse 100%, no more, no less. Every dollar going to that token won’t go to PNP and MGP holders.

2/ Cashflow allocation: I agree that a percentage of Penpie revenues should go PDT holders. No opinion on the percentage allocation. I however don’t think any revenues from other subDAOs should be used for that. The main point of having multiple DAOs is to silo the risk.

3/ TGE Treasury Allocation: Right now, the treasury allocation from new subDAOs doesn’t go directly to the team. It is used to generate revenues for all the MGP holders (including the team). “Selling” this allocation to recover Penpie’s losses would totally kill the future revenues of MGP holders, making the token pointless. Therefore, I strongly oppose to this solution. It is probably however possible to divert a part of there revenues to repay the victims.

4/ TGE allocation distribution: I don’t think some pools should get more repayment than others. 1$ lost = 1 PDT, whatever pool you were in. People in some pools suffered more (stETH for instance), but I don’t think they should get all of the upfront repayment with some other pools getting nothing.

5/ Proposed timeline: to be honest, I would be surprised if the full compensation would take less than 2 years, but I guess it will depend how much external help Penpie can get.

To sum up my views, Penpie got hacked, not Cakepie/Campie/Eigenpie etc. Therefore most of the repayment should come from the team and from Penpie, without hurting the other subDAOs and Magpie holders. Hurting other DAOs is the best way to destroy all the confidence in the Magpie ecosystem. Why should I ever put my money in a protocol, if it could be used to repay something that happened on a totally different protocol?

dont use pnp/mpendle yield to compensate.

1. they are investors of penpie
2. they are victims as well,it no way from victims to compensate other victims
3. they are the root which penpie alive and it’s ensure to compensation process in the future

promise to compensate, but need to delay compensation, devide more steps into implement

in short, to be alive > compensation now

Debt Token is a good idea. Recall the Bitfinex hack a couple years ago, which happened during a market pullback period before bull run in 2016-2017, Bitfinex created a debt token and paid everything back during the bull run in next 2 years. This is a golden example for showing responsibility in this industry.

I agree a big part of this.

But the responsible party is mgp not pnp.

So if what Revenue we’re gonna use we’re gonna need to use mgp revenue To do the compensation.

right?

In all honesty, Penpie can’t repay the losses without triggering a contagion of the whole ecosystem. I can only see two options viable:

1. make Penpie users accept a haircut of x%, while the rest paid for by revenue from Penpie & Mapgpie over a very long period.
2. if no option is agreed on, unwind the protocol and service/write down the debt to available assets in Penpie.

We need to start considering the option of defaulting and unwinding the business to limit the contagion to other subDAOs.

The objects of compensation is mgp，

not pnp.
Because the mistake is made by mgp team.

The rest is ok.

Agree with kite11 points.

gr1zz wrote a good and detailed plan, but as PNP and mPENDLE holder from day 1, newer sold any tokens, and commited to Penpie and other SubDAO’s growth, I’am against paying from holders PNP and mPENDLE part revenue. It will completely destroy trust of the last holders and possible future token buyers.

The responsibility falls on the team that wasn’t scrupulous enough about safety and got themselves into such a nasty situation. Perhaps there are third-party investors ready to support the project and add new money in the form of future revenues or management tokens.
For now, it is worth focusing on increasing the project’s revenues and maintaining the economy without breaking it.

Personally, I wanted to propose an extreme measure for consideration. mPENDLE can be turned around into PENDLE in 2 years. Allowing tokens to be requested to be converted back to PENDLE, say at 50% of the wallet holdings on the snapshot date at the time of the hack, could support peg in the future and then less funds would have to be allocated to support peg. These funds could be used for revenue sharing or other needs.
The disadvantage of this method is the loss of some votes. Considering that TVL has already been lost after the hack and will probably decline further for some time, this shouldn’t hurt the protocol too much.

Whoever thinks that this doesn’t involve the whole MGP eco doesn’t understand why the MGP eco had success in the first place, and the whole name of the game is PNP. After that CKP is another story of success, and there is so much else coming, that a failure of 100%+ repayment here will kill everything

For sure some guys with 50-100 bucks won’t care, but investors in 7-8 digits won’t put a cent if the team “forgets” to repay the affected users.

Therefore, whoever is into any -pie (live or upcoming) product should hope that this ends well or your product is dead. A TVL of 1-2M after all the whales and istitutional leave? Have fun with revenues not covering OPEX

This leads to the concept above that *anypie revs should be used to generate a cash flow to recover and repay. Not saying the whole thing, but a lower % income on all the subdaos is way better than 100% revs on like 100 bucks.

The Magpie revs for sure should go mostly to help PNP refund. They are literally taking value from PNP investors, they own it.

Disclosure, i have a lot of *pie tokens, present and upcoming, so i know i will get damage (and not a damage of 100$) but it’s way better for long term to have it fully working

I think this proposal is a concrete and good basis for discussion. There are two things I disagree with which seem to unfairly favor the author of the proposal, who is mostly exposed to the stETH pool.

1. It seems arbitrary and unfair to not compensate the two exploited stable pools through the TGE distribution.

2. The weighting scheme used in the TGE distribution (power of two) is again arbitrary, heavily favoring the stETH pool. A fair distribution is applying a power of one and including the two stable pools. I.e. every USD of compensation is split equally among all affected pools, proportional to their respective share of the overall loss. I.e. for every pool, we compute a weight acoording to: pool_weight = usd_loss_in_pool / usd_loss_total. The TGE distribution to any pool is then tge_amount_total * pool_weight.

One more inconsistency I would like to point out:

1. The sum of losses for the ETH pools in this proposal is $20,130,750. Adding the stated losses from the two stable pools gives $23,527,719. This is significantly lower than the ~$27,348,259 stated in the post-mortem. The team needs to make sure to independently re-calculate the USD losses for each of the pools!

Some additional minor points / comments:

1. I think it is fine to value the pools in USD as of the time of the exploit (as opposed to the current market value). People in the ETH pool will be happy when the market goes down and unhappy otherwise. It makes all calculations easier going forward though.

2. Having the debt token repay up to 110% (or a different percentage above 100%) also makes sense. Given the repayment will take year(s), this implicitly gives some compensation for the lost opportunity cost.

I think that some YT tokens are missing, but it will be easy to recalculate everything down. Also, Debt is pretty easy to calculate

Every user lost a portion of Eth, USD or both. Therefore, if you are involved in one or more of the pools exploited, you are entitles (your % of the eth pool) + (your % of the USD pools), in kind (i.e. don’t force users in eth to have a USD value or viceversa)

For some friends who are not familiar with the operation mechanism of MGP, I would like to emphasize again,

1. We need to clarify the subject of compensation liability, which is Magpie company. They are responsible for the operation of all subdao, and each subdao has its own independent treasury. Magpie also has its own treasury, which strictly belongs to the community of each project. Please distinguish between MGP token holders and Magpie company, they are not the same concept.
2. Objectively speaking, Magpie does not seem to have much funds available for compensation. If compensation is made using Magpie’s equity tokens (such as PNP, CKP, MGP, and RDP), it will cause malignant inflation, resulting in a decrease in the intrinsic value of the tokens. Coupled with low liquidity on the chain, all equity tokens will eventually be destroyed. Therefore, compensation can only be hoped for in a sustained income stream or in the hope that new project tokens can obtain better liquidity on CEX (in the most optimistic case, as long as one subdao is listed on the top CEX, the team can easily compensate in a short period of time)

I think the core point of the dispute is who is responsible for the stolen penpie. Therefore, it is irresponsible and inefficient to only put forward proposals that are beneficial to ourselves. We must reach some compromises and consensus on some basic issues, as well as have a detailed understanding of the operation of the agreement and the situation of each stakeholder. method to reach a fair and reasonable solution. However, the discussion is meaningful

I agree with the general sentiment. I strongly oppose the idea of providing compensation from PNP and mPendle holders. Firstly, these individuals are also victims of the hack, as the value of these tokens has significantly decreased.

Secondly, I find it unreasonable to take revenue from those who provide the core source of yield for the protocol – the holders of original Pendle tokens.

Lastly, I believe the primary objective should be to ensure the survival and continued operation of the protocol. For this, a compensation plan is indeed necessary. However, I propose a compensation rate of 100% rather than 110%. It also seems reasonable for the compensation period to extend over a longer timeframe, such as 2-5 years.

That said, I support the idea of PDT, as it offers flexibility for different types of investors.