Pendle Finance has confirmed that its funds remain secure following an investigation into a security breach. However, a separate protocol built on Pendle, known as Penpie, suffered a significant reentrancy attack. The attacker exploited the reward accounting system of Penpie's contracts on Ethereum and Arbitrum, resulting in a loss of approximately $28 million (11,109 ETH) through a flash loan attack. Despite this, Pendle managed to save $107 million in assets by swiftly pausing all contracts and addressing the security issue. The vulnerability was identified by Cyvers, a Web3 security company, which noted that the PendleStaking contract lacked a reentrancy guard.