CoinClear

Penpie

3.2/10

Pendle yield booster that suffered a $27M exploit — was the top Magpie SubDAO before the hack destroyed trust. Illustrates the real security risks of yield aggregation protocols.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Penpie is a yield-boosting protocol designed specifically for Pendle Finance, operating as a SubDAO within the Magpie ecosystem. The protocol accumulates PENDLE tokens (through user deposits and market purchases) to gain boosted voting power on Pendle's gauge system, then shares those boosted yields with depositors.

Pendle Finance enables yield trading by splitting yield-bearing assets into principal tokens (PT) and yield tokens (YT), allowing users to speculate on or hedge future yield. Penpie layered on top of this by accumulating vePENDLE (vote-locked PENDLE) to boost yields and direct emissions to specific Pendle markets.

Before the exploit, Penpie was the most successful Magpie SubDAO, having accumulated significant vePENDLE voting power and attracting substantial TVL. The protocol was a key part of the Pendle ecosystem's governance landscape.

The $27M Exploit (September 2024): In September 2024, an attacker exploited a vulnerability in Penpie's reward claiming mechanism, draining approximately $27 million in various tokens. The exploit targeted the interaction between Penpie's contracts and Pendle's market contracts, specifically a reentrancy vulnerability in how Penpie processed reward claims from Pendle markets. The attacker created a fake Pendle market that, when interacted with by Penpie's contracts, allowed reentrant calls to drain funds.

Smart Contracts

The smart contract architecture follows the standard yield aggregation pattern:

  • PENDLE locking — accumulate vePENDLE for boosted yields and voting power
  • Deposit vaults — accept user deposits of Pendle LP tokens and yield-bearing assets
  • Reward distribution — claim and distribute boosted rewards to depositors
  • Governance — PNP token governance for protocol decisions

The contracts were audited prior to the exploit. However, the reentrancy vulnerability in the reward claiming flow was not caught by auditors — it arose from the complex interaction between Penpie's contracts and Pendle's market contracts, particularly when processing rewards from external (potentially malicious) market addresses.

Post-exploit, the team has implemented fixes and additional security measures, but the damage to trust is done.

Security

Security is Penpie's critical failure point. The $27M exploit demonstrated that:

  • Composability risk is real — the vulnerability existed at the interface between two protocols
  • Audits are insufficient — the contracts were audited but the exploit vector was missed
  • External input validation — the protocol didn't adequately validate external Pendle market addresses, allowing a fake market to trigger the exploit

The team's post-exploit response included pausing the protocol, conducting a post-mortem, implementing fixes, and discussing compensation for affected users. However, $27M in losses cannot be easily recovered, and the trust damage is permanent for many users.

Yield Generation

The yield generation mechanism itself is sound when functioning correctly. Penpie's accumulated vePENDLE provides genuine yield boosting — depositors earn more than they would depositing directly into Pendle. The yields come from:

  • Boosted PENDLE emissions from gauge voting
  • Bribe income from protocols seeking Pendle gauge votes
  • Base Pendle yields on deposited assets

The yield model is sustainable (based on real protocol revenue and emissions) rather than purely inflationary.

Adoption

Pre-exploit, Penpie had attracted significant TVL and was a meaningful participant in Pendle's governance. The protocol held a substantial share of total vePENDLE voting power.

Post-exploit, TVL dropped dramatically as users withdrew funds. The active user base has decreased significantly. While some users have returned after the security fixes, the protocol operates at a fraction of its pre-exploit scale.

Tokenomics

PNP is the governance token of Penpie, with vlPNP (vote-locked PNP) providing governance rights and boosted rewards. The token experienced a significant price drop following the exploit, reflecting both the direct financial damage and the trust erosion.

A portion of protocol revenue flows to PNP stakers, though with reduced TVL, this revenue is significantly lower than pre-exploit levels.

Risk Factors

  • Exploit history — $27M loss is a severe and documented security failure
  • Trust damage — permanent reputational harm from the exploit
  • Reduced TVL — protocol operates at a fraction of pre-exploit scale
  • Composability risk — vulnerability arose from cross-protocol interactions
  • Audit limitations — exploited despite audits, raising ongoing security concerns
  • Competition — other Pendle yield protocols may capture former Penpie users
  • Recovery uncertainty — unclear if the protocol can fully recover trust and TVL

Conclusion

Penpie scores 3.2, heavily penalized by the $27M security exploit. Before the hack, Penpie was a well-functioning yield booster with strong Pendle governance influence — it would have scored considerably higher. The exploit fundamentally changed the protocol's trajectory. The yield generation mechanism works in principle, and the Magpie team has implemented security improvements, but the trust deficit is enormous. The Penpie case serves as a critical reminder that yield aggregation protocols — which sit between users and underlying platforms — introduce compounding smart contract risk that even audits may not catch. Any interaction with Penpie should be approached with full awareness of this history.

Sources