How Does Penpie Work?
A yield booster that sits on top of Pendle, letting you earn higher returns by pooling voting power. It holds about $80M in deposits. Its D+ grade is driven by a $27M hack in September 2024 and the fact that your money is 100% dependent on Pendle staying safe -- if Pendle fails, Penpie fails with it.
TVL
$11M
Sector
Yield
Risk Grade
C
Value Grade
C-
Core Mechanisms
3.1.3
Pendle yield booster: stake PNP tokens to boost Pendle LP yields by up to 2.5x through vote-locking mechanism
Penpie allows users to stake Pendle LP tokens and earn boosted yields by leveraging pooled vlPENDLE voting power. Users deposit into Penpie, which aggregates voting power to maximize yield across Pendle markets. Standard vote-escrowed boost aggregation model.
5.1.2
vlPNP (vote-locked PNP): time-locked governance token with voting power proportional to lock duration (up to 2 years)
PNP holders can lock tokens for up to 2 years to receive vlPNP, granting governance voting rights and protocol fee share. Follows Curve's veToken model (veCRV). Longer locks = more voting power and fee capture.
3.4.2
Auto-compounding Pendle rewards: automatically harvests PENDLE emissions and restakes them to compound yields
Penpie automatically collects PENDLE token rewards from staked positions and reinvests them, saving users gas fees and optimizing compounding frequency. Standard yield aggregator auto-compounding pattern.
4.2.1
Batch reward harvesting: aggregates reward claims across multiple Pendle markets in single transaction
The _harvestBatchMarketRewards function was the exploit vector in September 2024. Batching reduces gas costs but increases complexity and attack surface. This function lacked proper reentrancy guards.
Cross-Protocol/Yield-Aggregation
Pendle ecosystem composability layer: enables leveraged yield strategies by combining Penpie boosts with external lending protocols
Users can deposit Penpie receipt tokens into lending protocols (Gearbox, Morpho) to borrow against boosted yield positions, creating leveraged Pendle exposure. This composability is novel but amplifies contagion risk across DeFi.
7.3.2
Dual token incentives: emits both PNP governance tokens and boosted PENDLE rewards to stakers
Penpie's dual incentive model provides both its native PNP token and amplified PENDLE yields. This creates complex tokenomics where PNP value depends on both governance utility and yield-boosting effectiveness. Novel incentive alignment but untested in stress scenarios.
How the Pieces Interact
The _harvestBatchMarketRewards function allowed external calls before state updates, enabling attackers to create fake Pendle markets and drain funds through reentrancy. Batching optimization created the critical vulnerability that cost $27M in September 2024.
100% of Penpie TVL depends on Pendle's security and solvency. Any Pendle exploit, PT/YT depeg event, or Pendle protocol failure instantly cascades to all Penpie users. No diversification or fallback mechanism exists.
After the September 2024 hack, governance faces dilemma: mint PNP to compensate victims (diluting existing holders) or let victims bear losses (destroying protocol reputation). Either choice creates death spiral dynamics similar to Rari Capital and Indexed Finance failures.
Protocols accepting Penpie receipt tokens as collateral (Gearbox, Morpho) face bad debt if Penpie or Pendle suffers an exploit. Leveraged positions amplify losses: a 20% depeg triggers liquidations that push Penpie tokens further down, creating liquidation spirals.
Auto-compounding requires continuous contract execution permissions. If Penpie deploys a malicious upgrade or admin keys are compromised, the auto-compound mechanism can be weaponized to drain all staked assets instantly (similar to Harvest Finance 2020 exploit pattern).
What Could Go Wrong
- Exploited for $27M in September 2024 via reentrancy vulnerability in reward distribution, demonstrating critical smart contract risk in yield aggregation layer
- Tight coupling to Pendle protocol creates single point of failure: any Pendle exploit or PT/YT market failure cascades directly to Penpie users
- veToken governance model (vlPNP) creates governance capture risk and post-exploit hyperinflation scenarios similar to Rari/Indexed Finance failures
Pendle Ecosystem Contagion from Yield Aggregator Failure
ModerateTrigger: A critical vulnerability in Penpie's staking or reward distribution contracts is exploited, or Pendle itself suffers a major exploit, causing cascading losses across the entire Pendle yield aggregation ecosystem
- 1.Attacker exploits a reentrancy vulnerability in Penpie's reward distribution function (similar to September 2024 $27M hack), draining user deposits from multiple Pendle market pools — Penpie loses ability to maintain 1:1 peg between LP tokens and underlying Pendle positions; users holding vlPNP governance tokens see voting power become worthless
- 2.Panic spreads to other Pendle aggregators (Equilibria, Penpie competitors) as users question security of all Pendle-based yield strategies — Mass withdrawal from Pendle Principal Tokens (PT) and Yield Tokens (YT) across the ecosystem, breaking the fundamental PT+YT=underlying asset equation as liquidity fractures
- 3.Pendle's $3B+ TVL faces rapid outflows as institutional users (who deposited via Penpie for boosted yields) unwind positions — PT/YT market spreads widen dramatically; users trying to exit fixed-yield positions face severe slippage, locking many into unfavorable rates
- 4.DeFi protocols using Pendle PT tokens as collateral (Gearbox, Morpho) trigger liquidations as PT prices crash below collateral thresholds — Broader DeFi contagion as PT collateral value evaporates; Pendle's novel yield-splitting primitive faces existential credibility crisis
Risk Profile at a Glance
Overall: C (50/100)
Lower score = safer