SolidityScan
HACK ANALYSIS 2 min read

Peapods Finance Hack Analysis

Peapods Finance Hack Analysis

Overview:

On February 8, 2025, Peapods Finance (@PeapodsFinance) , experienced a slippage frontrun in its reward contract’s depositFromPairedLpToken function. An arbitrageur leveraged the _slippageOverride parameter to front-run reward processing, extracting value from the contract. This issue is isolated to an older version of the Pod code, which is no longer actively deployed. The total financial impact was approximately $3,500, and the Peapod’s Team said that the affected Pod will be reimbursed.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The root cause of the exploit was that the depositFromPairedLpToken function allowed users to set _slippageOverride, which directly influenced the amountOutMinimum parameter of the exactInputSingle function.
Fig: depositFromPairedLpToken() Function
  • The attacker first manipulated the price by executing a large trade before calling depositFromPairedLpToken.
  • By setting _slippageOverride = 999, the contract accepted highly unfavorable trade conditions.
Fig: Attack Call
  • The attacker then back-ran the transaction, selling the tokens at a manipulated higher price and profiting from the difference.
  • There was no validation or restriction on _slippageOverride, allowing the attacker to set an extreme value and bypass protection.
  • Official response from Peapods Finance Team: https://x.com/PeapodsFinance/status/1888200927779402151

Mitigation and Best Practices:

  • Restrict _slippageOverride to reasonable bounds (e.g., between 1 and 50).
  • Ensure swap price is validated against Chainlink or other trusted oracles before execution.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 494+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.

SolidityScan — LinkedIn | Twitter | Telegram | Discord

AI Agents: Revolutionizing Crypto Trading
Seamless Security Integration: SolidityScan x Etherlink Explorer