Penpie, a yield generation protocol built atop Pendle Finance, has suffered a smart contract exploit that has drained $27 million – and counting – from its users. According to cybersecurity firm Cyvers, an address funded through cryptocurrency mixer Tornado Cash executed a malicious transaction that drained $27 million in Lido Staked ETH (wstETH), Ethena’s sUSDe, and Swell’s rswETH. Prior to the exploit, Penpie held $136 million in total value locked (TVL), according to DeFiLlama. The project’s native PNP token is down just 9% on the day. Users are awaiting a statement from the Penpie team, which did not immediately reply to a request for comment from The Defiant. However, Pendle Finance did assure users that none of their funds were in danger, which has led them to temporarily stall all smart contracts. “After a thorough investigation, we can confirm that funds on Pendle remain secure,” said the Pendle Finance team. “However, we have identified a security compromise in Penpie, an independent protocol built on top of Pendle.” Pendle is DeFi’s 11th-largest protocol, with more than $2.5 billion in TVL. To avoid any further loss of funds, Pendle has paused all its smart contracts and “shall maintain close communication with the Penpie team to actively assist them in resolving the issue as swiftly as possible.” This is a developing story.