Anyone keeping an eye on the decentralized finance sector will know DeFi’s popularity is still growing. However, the premise of Pickle Finance was that Pickle Finance’s founders noticed that farming yield hasn’t gotten any easier. They saw lots of protocols offering generous returns but found it difficult to assess which ones were sustainable and trustworthy. With all the fly-by-night “exit scams”, “rug pulls”, and straight-up hacks, they knew it was hard for newcomers to figure out which platforms they could trust.
With that in mind, Pickle Finance wanted to create a yield-generating DeFi protocol that earned top yields for its users, but also one that was simple to use. As such, the beginnings of the on-chain asset management protocol Pickle.Finance, commonly known as Pickle Finance, were born.
As anyone in the decentralized finance industry will know, the DeFi sector is booming. However, when it comes to investing, people should see through the hype. The best tip when it comes to understanding DeFi projects and protocols is having a solid blockchain education. Ivan on Tech Academy is one of the premier blockchain education platforms, and over 30,000 students have already enrolled in the Academy. Start your blockchain journey today with Ivan on Tech Academy!
So, understanding Pickle Finance requires us to first take a look at Pickle Finance’s product offering. These are the essential products that make up the Pickle Finance suite:
PickleJars is where the Pickle yield farming robots go to work to earn returns on user deposits. Learn more about PickleJars here.
This is the place to earn PICKLE tokens in the liquidity mining pools. Learn more about PickleFarm here.
PickleStake is where users go to earn WETH by staking PICKLE tokens. Go here when you’re ready to stake PICKLE and stack WETH. However, for trading PICKLE tokens, the best place is Uniswap.
Pickle determines the distributed WETH rewards weekly. And they go to stakers based on the income generated by Pickle Finance but only after it exceeds the $500K Treasury cap.
PickleSwap is where users go to swap from one PickleJar to another.
More About PickleJars
At the time of this writing, eight PickleJars are operating. Each PickleJar (pJar) works the same way but uses a different strategy:
- You deposit funds into a pJar and receive pTokens.
- The strategy puts your funds to work to generate returns.
- The returns go back to the pool, which causes your pTokens to appreciate.
Some of the Different PickleJars
pJar 0.00 (a, b, c):
These are the Curve Jars, and they farm CRV. You can deposit DAI, sUSD, USDC, and USDT in Curve’s sUSD pool. In Curve’s renBTC pool, you can deposit renBTC or wBTC. And for Curve’s 3pool, you can deposit DAI, USDC, or USDT.
Additionally, you can earn PICKLE rewards by depositing your pTokens (except psCRV) in the Farm.
pJar 0.69 (a, b, c, d):
These are the Uniswap Jars, and they farm UNI. Pickle participates in four Uniswap pools. Depositing in one of these pools returns pUNI tokens.
With the liquidity provider tokens, pJar 0.69 receives and re-invests UNI rewards. So, if you invest in this Jar, you end up with more pUNI tokens than you started with. Just like with the pJar 0.00, you can earn PICKLE rewards by depositing your pTokens in the Farm.
This pJar is the Compound Jar, which, not surprisingly, farms COMP. Using the deposited base currencies, DAI, USDC, and USDT, this pJar receives and reinvests COMP for you. So, once again, you will end up with more of the underlying currency than you started with. You achieve yield by supplying and borrowing assets on Compound to get COMP tokens.
Of course, you could figure out how to do these yield farming strategies yourself, but leverage mining COMP can be dangerous after reaching a certain threshold. That’s why the team at Pickle invented pJars in the first place. To help you automatically reinvest your gains to optimize the highest yield strategies.
Also, once you’ve received pTokens for depositing assets in the pJars, you can stake them in the Farms and receive PICKLE token rewards. Just visit the PickleFarms page and select the Farm with the same pToken you already own. From there, choose the amount you wish to stake and click “Stake”. Here is more info on how to deposit to pJars.
There is no cap on the supply of PICKLE tokens, and the PickleFarms are there for you to farm PICKLE rewards. Different Farms require different tokens, but the PICKLE/ETH 50:50 Uniswap pool is the primary liquidity source for PICKLE tokens.
Liquidity providers in the Uniswap pool receive 70% of the PICKLE token emissions. This percentage can be changed in the future by governance, but for now, this is the power pool.
To farm PICKLE tokens in this pool, you have to supply liquidity to the PICKLE/ETH pool, which means delivering both PICKLE and ETH tokens to Uniswap. The other farming pools require staking pTokens. You can obtain these tokens by depositing funds to a pJar. Learn more about PickleFarms here.
Pickle Finance Governance
The Pickle Finance community and the PICKLE/ETH liquidity providers will shape the future of the protocol. Their governance system utilizes Quadratic voting, which promises to offer a more democratic form of governance. Market principles drive Quadratic voting, where each voter gets a budget of votes to spread around so they can express their desires more strongly.
For instance, let’s say each voter gets 20 voting credits to spend on 20 issues. They could vote once on each topic, or they could allocate all 20 vote credits to one issue and skip the others. They could do that if they care strongly about one point. Hence, the interesting thing about Quadratic voting is that it allows voters to express the degree of their sentiment, not just the direction.
Are you confused by the notion of governance? If so, you should take a look at Ivan on Tech Academy. Ivan on Tech Academy offers dozens of blockchain courses, which go through everything from DeFi to governance in an easily understood way.
To quote their white paper, “All key admin functions on the MasterChef contract, which controls the emission of PICKLEs to the Farms are controlled by a 24-hour time-lock contract. A 12-hour time-lock contract controls all key admin functions relating to the PickleJars. Each of the above time-lock contracts must be executed through a 3/6 community multisig wallet.” Remember this feature for the next section.
Pickle Finance has undergone an audit by MixBytes, and a preliminary audit by Haechi. They found no critical issues in the smart contracts. However, the audit did uncover some suspicious proxy functions. Pickle’s developers defended them, however, as necessary and safe because of the 12-hour time-lock protection.
But as we discussed in our Smart Contract Security article, audits don’t always find every code flaw. And unfortunately, Pickle Finance became the latest victim in the epidemic of DeFi hack attacks. However, this hack was different from the standard arbitrage exploit.
The Pickle Finance Hack
On November 21, 2020, an attacker exploited two bugs in the Controller smart contract, successfully draining 19.7 million DAI from the pDAI Jar using a so-called fake pJar, or “Evil Jar.”
To understand the hack better, know that pJars are forked versions of Yearn Vaults v1 with some modifications. And a contract called the “Controller” controls the pJars with the latest version enabling direct swaps between Jars. The hacker exploited this “swap” functionality and other design flaws to execute the attack.
So, this Controller has a function that allows asset swaps between Jars, but as mentioned, it had two bugs in the logic. To be more specific:
- The first problem was an input validation bug that didn’t validate if a particular jar was supported or not.
- The second bug was an arbitrary code execution that allowed untrusted code to execute regarding the Controller.
The Exploit Begins
So, the hacker queried the asset balance to find that 19.7 million DAI was available. Next, he created a fake Jar exploiting the validation bug and swapped funds from the original Jar. Since there was no “whitelist,” so to speak, the Controller didn’t verify that the Evil Jar was legit. Hence, the token withdrawal and deposit functions were allowed to continue.
The hacker called the earn() function three times (notice the collateralization ratio in effect):
- 1st earn() call invests 19.7 million DAI and mints 903 million cDAI.
- 2nd earn() call invests 988,000 DAI and mints 45 million cDAI.
- 3rd earn() call invests 49,000 DAI and mints 2 million cDAI.
The attacker then exploited the arbitrary code execution to withdraw all cDAIs. Once the Controller had the cDAI, it called the EvilJar.deposit() function to transfer the funds to the hacker’s smart contract. The attacker then redeemed the cDAI for 19.7 million DAI and moved it to his wallet.
Calling All White Hats
Thankfully, the Pickle Finance developer team was not too proud to ask for help, and they convened a war room with developers from Stake Capital, Yearn Finance, and others to try and save the day.
As the white hats in the war room labored away, it became apparent that the attacker knew his stuff and was an expert in Solidity and EVM. It’s also likely that he’d already explored Yearn’s code since the vulnerability was similar to what plagued Yearn’s code earlier.
The team tried to call the “withdrawAll” function to empty the pJars and stop the bleeding. However, that failed since the request had to pass through the Governance DAO, which had a 12-hour time-lock. And the only person with the power to bypass the time-lock was a member of the multisig who was fast asleep. Not surprising since the Pickle team resides across the world in different time zones.
Since the team couldn’t immediately empty the pJars, they had to get the word out to their users to withdraw their funds and prevent any further deposits from taking place. They proceeded with this while the white hat team continued investigating the exploit.
So, the team had to fight a war on multiple fronts. They had to run safety checks on the other pJars to make sure they weren’t also vulnerable. And they had to “white hack” the pJar before the real hackers hit it again. Lastly, they had to accomplish this while also trying to prevent opportunistic miners from front-running them as they attempted to rescue the remaining funds.
The war room devs eventually replicated the exploit successfully, and the fix was in. Via the governance multisig, the Pickle Finance team called the setMin(0) function on the pDAI Jar without waiting for a time-lock. Thankfully they disabled the pDAI jar deposits—albeit they were still 19.7 million DAI lighter.
If you read our article on Smart Contract Security, you know that the Agile software development mantra of move quickly, fail fast, and fix the buggy code later doesn’t work in DeFi. There’s a large price tag attached to shipping buggy code in DeFi. Ironically, both MixBytes and Haechi conducted their audits before Pickle added ControllerV4 on October 23. And it just so happens that this was one of the critical attack vectors.
Security experts are currently monitoring the wallet with the stolen DAI for any movement. But once again, this hack shows that all DeFi protocols, much less new ones like Pickle Finance, should view security audits as a continuous process and not just a “one and done” type of operation.
The Future of Pickle Finance
Fortunately, the hack didn’t spell doom and gloom for the protocol. Shortly afterward, Andre Cronje, the founder/developer of Yearn Finance, announced a partnership between them. Yes, Pickle and Yearn developers came up with a way for the two platforms to work together. The goal was to share expertise, increase each side’s specialization, and to reduce redundancy.
So, Yearn now benefits from Pickle’s new strategy creators to boost its product offerings, while Pickle Finance will benefit from Yearn’s ecosystem and security expertise. And that couldn’t come at a better time. They will start with a minimal release and work towards further integration in time.
The Pickle and Yearn Merger
Ultimately, it means that, among other things, pJars deploy as Yearn Vaults. Since pJars are essentially cloned versions of yVaults, the code is similar, making assimilation easier. Also, the total value locked (TVL) between Pickle and Yearn will merge. And, yVault depositors will be able to earn rewards by locking up PICKLE tokens for DILL.
Best of all, the merger will create a new token called CORNICHON to track the Evil Jar losses for the hack victims. These tokens will be minted and distributed proportionally to compensate the victims.
Ultimately, the merger’s end goal is to boost returns for yield farmers, but it won’t happen all at once. Cronje said the first step will be to merge pJars and Yearn’s v2 Vaults and merge the TVL.
Are you interested in learning Smart Contract Security? How about learning DeFi? To become a top blockchain developer, you’ll need the best education you can find, so visit Ivan on Tech Academy today to see the vast range of courses available!