DeFi Project ‘Popsicle Finance’ Loses $25 Million in Apparent Hack
A hacker this week managed to execute a transaction that drained 85 percent of the deposit pools of Popsicle Finance, a multi-chain yield-generating platform for liquidity providers.
According to the post-mortem, the attacker targeted the Sorbetto Fragola contracts (UniswapV3 optimiser) while other contracts like nICE staking and ICE Farming were left unaffected. He/she managed to drain over US$20 million using flash loans to borrow US$30 million in USDT, along with $32 million in ETH.
$1 Million Bounty Offered for Return
In response to the attack, the protocol addressed the hacker, offering a US$1,000,000 bounty if he/she returns the funds. Deposits to all pools have since been locked.
The protocol is working out a compensation plan, asking for feedback from its community to spurt ideas. Two months ago, Rari Capital reimbursed up to US$26 million after suffering a similar hack for 2600 ETH.
Popsicle Finance’s community showed itself to be supportive instead of accusing the protocol of an exiting scam. Before the launch of Sorbetto, the community voted to release the contract unaudited, yet the team decided to wait for data analytics companies CertiK and PeckShield Inc to audit the project.
A Commonly Exploited DeFi Bug
SushiSwap core developer Mudit Gupta said the hacker found a bug in the smart contract that allowed anyone to receive rewards and claim them multiple times for the same shares from much further back in time than they should have been able to. Gupta added that this was a common bug in most exploited DeFi protocols.
Popsicle Finance’s hack adds to the list of over 20 DeFi hacks this year, amounting to a total of US$310 million lost since 2020. Since DeFi hacks have become a common topic in the industry, many in the community believe most of them are undercover rugpulls.
Two months ago, DeFi100 went down – its official website displayed an “Error 404” message, and more than US$32 million vanished. Despite the protocol insisting it didn’t rug-pull its investors, the incident raised concerns over a potential exit scam.