CVC Statements for Claim filed on 11/21/2020 for Pickle Finance

There was a claim submitted on Cover Protocol for Pickle Finance on 11/21/2020.

A Snapshot proposal has been created here.

Information on incident here.
Claim Guidelines can be found here.

This post is used for Cover Protocol Claim Validity Committee to post their statements on their decisions and findings.

Please do NOT comment if you are not a CVC member.

Statement format:

CVC member name: Pumpkin Auditing Firm
CVC member link: pumpkinauditing.com
Decision: Valid claim
Payout Percentage: 100%
Investigation: evidence/links to back up the decision and payout.

CVC member name: PeckShield
CVC member link: peckshield.com
Decision: Valid claim
Payout Percentage: 100%
Investigation: Please see our root cause analysis post here:
https://peckshield.medium.com/pickle-incident-root-cause-analysis-5d73496ebc9f

4 Likes

CVC member name: Hacken
CVC member link: hacken.io
Decision: Valid claim
Payout Percentage: 100%
Investigation: Based on the given claims guidelines, we believe this claim should be valid.

3 Likes

CVC member name: Weeb Mcgee
CVC member link: weeb (@Weeb_Mcgee) / Twitter
Decision: Valid claim
Payout Percentage: 100%
Investigation: Based on investigation by various ETH community members @banteg @emilianobonassi @lehnberg @samczsun @vasa-develop @bneiluj, I believe this claim should be accepted on the basis that this was an exploit by a 3rd party due to smart contract issues (lack of input verification, remote code execution).

Post mortem: evil-jar/readme.md at master · banteg/evil-jar (github.com)

3 Likes

CVC member name: Defi Yield
CVC member link: Website / Twitter
Decision: Valid claim
Payout Percentage: 100%
Investigation: I have analyzed the information provided by PeckShield and research done by @vasa_develop @bantg @emilianobonassi @bneiluj @samczsun together with @picklefinance - link, I can confirm that this claim is valid.

3 Likes

CVC member name: The Arcadia Group
CVC member link: Website / Twitter
Decision: Valid
Payout Percentage: 100%
Investigation: Based on the pre-existing investigation provided by @banteg and co link, this attack looks to be a complex attack and not one made through negligence. I support the awarding of insurance rewards, however I would recommend any further Pickle insurance claims be reviewed to see if similar mistakes were made.

2 Likes

CVC member name: Haechi Audit
CVC member link: https://audit.haechi.io
Decision: Valid claim
Payout Percentage: 100%
Investigation:
We have analyzed this exploit. This exploit was caused by the flaws (no sanity check, arbitrary code execution by delegatecall) mentioned in this diagram (@vasa_develop).
Each flaw appears to be a minor issue, but when 8 flaws are combined, it becomes a critical issue that can be exploited.
This is valid claim because this exploit was caused by smart contract vulnerabilities.

2 Likes