Key Takeaways
- Popsicle Finance has been hacked, with attackers draining approximately $25 million.
- The attacker tricked the Fragola liquidity manager into paying out large amounts of Ethereum.
- The attack on Popsicle Finance was bigger than all previous hacks in July combined.
Yield optimization platform Popsicle Finance has been attacked, with hackers draining around $25 million of Ethereum from the Sorbetto Fragola liquidity manager.
Popsicle Finance Hacked
Popsicle Finance is the latest DeFi protocol to fall victim to hackers.
A hacker looks to have exploited a smart contract in the platform’s Sorbetto Fragola liquidity manager. Fragola allows users to optimize yields on Uniswap V3, automatically choosing the best ranges to ensure the highest yield. However, a bug in the smart contract allowed a hacker to trick the contract into paying out yield from the day it was launched instead of when the hacker allocated funds to it. This resulted in the hacker being able to repeatedly drain large amounts of Ethereum, using the same exploit on multiple accounts. In total, it is estimated that the attack cost users approximately $25 million.
The hack was first brought to attention by a Popsicle Finance team member operating under the alias @danielesesta Tuesday evening.
Popsicle Finance Got Hacked, Post Mortem as soon as we discover the cause. We will figure it out together and will make it back for our beloved users. Sadly 2 audits where not enough this time…
— Ser Daniele Carpèt 🧊🧙♂️ (@danielesesta) August 3, 2021
Since then, Popsicle Finance has disclosed the hack, urging users to immediately remove funds from the affected pools. @danielesesta has also offered the attacker $1 million “in completely clean money” for the safe return of the funds.
While all DeFi applications hold some inherent risk of being hacked, Popsicle Finance appeared to be taking the necessary precautions. The platform’s smart contracts had previously undergone two separate audits from CertiK and Peckshield, with both coming back without any critical issues.
Mudit Gupta, a core developer for the DeFi “blue chip” SushiSwap, weighed in on the situation on Twitter. He explained that while the hack was complex to conduct, the bug in the code was simple. Gupta himself earned a $10,000 bounty for identifying the same bug in the smart contracts of DeFi protocol WildCredit in June.
Commenting on Popsicle Finance’s multiple audits, Gupta tweeted:
“To be fair, auditors are humans and things can slip up. It is fair to expect that this bug will be caught, but there is no guarantee.”
Popsicle Finance follows a long list of DeFi platforms to fall victim to hacks recently. At the start of July, cross-chain bridge ChainSwap suffered two hacks, resulting in almost $9 million worth of losses. Later in the month, hackers attacked Polygon yield farm PolyYeld, crashing its YELD farm token to zero. Additionally, the decentralized liquidity network THORChain has been exploited three times since June, with attackers making off with over $13 million. The recent attack on Popsicle Finance was severe in comparison, with more value lost than all previous hacks in July combined.
On the news of the hack going public, Popsicle finance’s ICE token crashed in value, initially dropping over 55%. It has since recovered but is still down 30% from yesterday’s price. Despite the exploit, investors still seem to have confidence in Popsicle Finance and are buying the dip. The same dip-buying occurred after THORChain’s last hack, with the project’s RUNE token recording a major rebound from its post-hack lows.
Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and SUSHI.