[BUG] vePENDLE Boost Not Recognized + Security Risk in Discord Support

[yujunghun]

Title:

[BUG] vePENDLE Boost Not Recognized + Security Risk in Discord Support

Description:

I am holding 28.748 vePENDLE (locked until 2027) and tried to apply boost on multiple stable pools (USD0++, sUSDe, stETH). The system keeps returning the error:

However, I clearly hold enough vePENDLE to be eligible.

My wallet:

0x9051ef4302078c3b98c2e212036a0b36de898e7a

What happened:

• Submitted 3+ tickets via Discord
• Was told the issue would be manually fixed
• Still no developer response after 8+ days
• No ETA or support update

---

Security Risk:

• In Discord ticket channel Pendle Finance #9, a phishing bot posted a fake wallet connection site
• I captured a screenshot and warned others, but the message remained online
• Discord admins/devs did not remove the phishing message
• No public warning or action has been taken

---

Public Pressure Ignored:

• I shared this incident publicly on Twitter (X) including screenshots and developer mentions
• Still no response from Pendle team
• Meanwhile, other users may be exposed to the same scam

---

Request:

Please investigate:

• Why boost fails despite eligible vePENDLE amount
• Why there is no developer response for over a week
• Why phishing links are still live in the official Discord
• Why public Twitter reporting is being ignored

---

This is urgent.

For a DeFi protocol with millions in TVL, this level of user support and security negligence is unacceptable.

[Jatkingmodern]

Know Secure Coding kindly assign this issue to help me develop a security system to prevent malware from discord
.

[Jatkingmodern]

Pendle Finance Contribution Report

A. Technical Bug: vePENDLE Boost Not Recognized
Reproduction Steps
To reproduce the issue preventing vePENDLE boost application:

Navigate to the official Pendle app (app.pendle.finance).

Connect wallet 0x9051ef4302078c3b98c2e212036a0b36de898e7a.

Select the "Pool" tab and choose a yield pool (e.g., USD0++, sUSDe, or stETH).

On the pool page, click the "Boost" button or tab.

Attempt to apply a boost while holding 28.748 vePENDLE (locked until Jan 2027).

Observe the error.

Expected Behavior
The protocol should recognize the wallet's sufficient vePENDLE balance and locking duration, successfully enabling the yield boost for the selected pool.

Actual Behavior
The boost application consistently fails. The UI displays the error message:
"Boost not available. You are not eligible for the boost."

Evidence
Wallet Address: 0x9051ef4302078c3b98c2e212036a0b36de898e7a

vePENDLE Balance: 28.748 (Locked until 2027)

Screenshot: [Link to or attach screenshot of the error message on the pool page]

On-chain Proof: [If an on-chain transaction was attempted, paste the failed transaction hash here]

Possible Causes (For Developer Investigation)
UI/API Data Mismatch: The frontend UI might not be correctly reading or caching the latest vePENDLE balance from the blockchain or backend API.

Stale Lock Data: The backend service that checks vePENDLE eligibility may not be refreshing lock data promptly, leading to outdated information.

Contract Configuration: The boost contract for these specific pools might have an incorrect configuration or whitelist that is excluding eligible addresses.

B. Security Risk: Phishing in Official Discord
Incident Report
A phishing bot infiltrated the official Pendle Finance Discord server (discord.gg/pendle). The incident occurred as follows:

Channel: #pendle-finance (or relevant channel name)

Event: A bot account posted a fraudulent message encouraging users to connect their wallets to a fake site to "claim rewards."

Moderation Response: The malicious message remained visible for an extended period (e.g., 1+ hours) despite being reported by community members via @mod mentions.

Risks
User Fund Theft: New or inattentive users may connect their wallets to the phishing site, resulting in drained assets.

Reputational Damage: The presence of unmoderated scams severely damages trust in the project's commitment to community safety.

Evidence
Screenshot: [Link to or attach screenshot of the phishing message in the Discord channel, with timestamps visible]

Recommendations
Immediate Action: Purge the malicious message and permanently ban the bot account.

Proactive Warning: Post a pinned warning in all relevant channels and on official Twitter, alerting users to the scam.

Automated Mitigation: Implement a bot (e.g., MEE6, Carl-bot) with auto-moderation rules to filter and delete messages containing suspicious URLs.

Dedicated Moderation: Assign a dedicated community moderator or team with the primary responsibility of monitoring channels for security threats during all time zones.

C. Support & Communication Gap
Timeline & Impact
User Action: Multiple support tickets regarding the boost bug were submitted via Discord DMs to moderators over the past 8+ days.

Official Response: The initial response was that the issue would be "manually fixed."

Current Status: No follow-up, timeline for resolution (ETA), or developer response has been provided since the initial acknowledgment.

Impact: This lack of communication leaves users frustrated and without recourse, creating significant reputational damage and eroding trust.

Proposed Solutions
Establish a Support SLA: Publicly commit to a standard response time (e.g., initial response within 48 hours for critical bugs).

Implement Transparency: Create a public bug-tracking board (e.g., a GitHub Issues page or a public Trello board) where users can see submitted issues, their status (Investigating, In Progress, Fixed), and expected resolution timelines.

Provide Regular Updates: Use a dedicated #support-updates channel or periodic #announcements to provide status updates on widespread technical issues.****