Pendle Whale Suffers $1.3 Million Loss from Custom Smart Contract Vulnerability

Executive Summary

SlowMist's Cosine reported that a significant Pendle token holder incurred a loss exceeding $1.3 million due to an exploit of their self-created onMorphoFlashLoan contract. This vulnerability allowed a malicious actor to manipulate the user's delegated positions on both AAVE and Pendle, highlighting the persistent security challenges within decentralized finance for custom deployments.

The Event in Detail

The incident involved a prominent Pendle whale who lost over $1.3 million USD. The attack vector was identified as a critical vulnerability within the user's self-created onMorphoFlashLoan smart contract. This contract, designed with open accessibility, permitted any external entity to invoke its functions. The hacker leveraged this permission to execute unauthorized operations, specifically manipulating the whale's delegated positions across the AAVE and Pendle protocols. This exploitation underscores a significant risk when individual users deploy custom smart contracts without rigorous security audits, particularly those interacting with established DeFi platforms.

Financial Mechanics and Business Strategy

The core of the exploit lay in the onMorphoFlashLoan contract's design, which, according to SlowMist's analysis, was structured to allow calls from any address. This misconfiguration enabled the attacker to bypass access controls and interact with the whale's delegated assets. While the specific financial instruments involved were the user's delegated positions on AAVE and Pendle, the underlying mechanism was the abuse of a poorly secured custom smart contract. The Pendle Finance team confirmed that its core protocol funds remained secure following thorough investigation, differentiating the vulnerability from a protocol-level breach. However, a separate incident saw Penpie, an independent protocol built atop Pendle, suffer a $27 million smart contract exploit, draining Lido Staked ETH (wstETH), Ethena's sUSDe, and Swell's rswETH. This broader context further emphasizes the varied and interconnected security challenges within the Web3 ecosystem. Separately, the PENDLE token observed significant on-chain movements around this period, with Arthur Hayes incurring a $1.29 million loss from selling 1.59 million PENDLE tokens before a 24% price surge. This event, while distinct from the exploit, highlights market volatility and large holder influence.

Market Implications

This incident reinforces the critical need for enhanced security practices in user-deployed smart contracts and delegated position management within DeFi. It is expected to increase scrutiny on custom contract audits and the permissions granted to them, particularly those interacting with core protocols like AAVE and Pendle. The broader market implications include a cautious sentiment towards individual or small-team developed contracts, even as established protocols maintain their security. The rise in sophisticated social engineering attacks and vulnerabilities in delegated mechanisms, such as those introduced by EIP-7702, continues to pose risks, with the Web3 ecosystem facing $39.73 million in phishing losses across 43,628 victim addresses in H1 2025. This incident contributes to the growing concern regarding the overall security posture of the DeFi space, where total losses from blockchain hacking incidents reached an estimated $36.633 billion globally as of September 2025.

Expert Commentary

SlowMist's Cosine, a prominent blockchain security expert, detailed the exploit, emphasizing that the vulnerability resided in the user's self-created contract. Cosine consistently highlights the "Dark Forest" nature of the Web3 ecosystem, where security challenges, attack trends, and defense strategies are paramount. According to SlowMist Hacked data, smart contract vulnerabilities accounted for the most incidents (328) as of September 2025. Cosine's lectures at institutions like HKU Business School stress preventive measures and incident response for crypto asset risks. Furthermore, a 2025 review by Halborn indicated that misconfigured owner-only functions or role assignments were responsible for 80% of compromised DeFi admin keys. Aave also proactively educates users on smart contract risks and safe practices, including understanding transaction approvals.

Broader Context

The exploit of the onMorphoFlashLoan contract is indicative of broader systemic vulnerabilities beyond core protocol security. While major DeFi protocols like Pendle often feature robust security, the interconnected nature of the ecosystem means that user-created contracts and third-party integrations introduce new attack surfaces. This incident aligns with the trend observed in H1 2025, where, despite a decrease in the number of security incidents (121), total losses increased by approximately 65.94% compared to H1 2024, reaching $2.373 billion. Smart contract vulnerabilities and account compromises remain leading causes of these losses. The emergence of new features like Ethereum's EIP-7702, which allows contract delegation, also introduces new risk boundaries, enabling attackers to exploit authorized contracts if users are tricked by phishing sites. Experts consistently recommend adherence to secure coding standards, rigorous tooling, layered audits, and continuous monitoring, as 49% of exploitable contracts are attacked within 30 days of deployment.