Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.
The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.” In a Twitter thread, Gupta also explained how he reported a similar bug in another protocol, adding that the error “has been exploited in like a dozen other protocols already.”
Popsicle Finance is a decentralized finance (DeFi) protocol with a suite of different products that allow users to automate yield on their crypto holdings. The specific product that has been attacked is called Sorbetto Fragola, which is Italian for “strawberry sorbet.”
How the exploit worked
In Uniswap’s latest iteration, liquidity providers are allowed to set specific price parameters within which they’d like to add liquidity. If, for instance, you think that the price of Ethereum will continue to trade between $2,450 and $2,700 as it’s done for the past week, then you’d be inclined to add liquidity to this specific range.
This is because Uniswap pays liquidity providers a portion of the proceeds of all trade fees generated. The most common trading fee is 0.3%, but this can be adjusted.
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7
Basically, Popsicle doesn’t transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here pic.twitter.com/shdYdyemD9
— Mudit Gupta (@Mudit__Gupta) August 4, 2021
The feature also means that Uniswap users are now incentivized to optimize their liquidity provision as accurately as possible—as Ethereum leaves a trading range, users will need to adjust their price parameters. This benefits them, as they earn more money from trading fees, but also traders who want to draw from a deep pool and avoid price slippage.
Naturally, the race to optimize can be cumbersome if not an outright headache for laypeople. Resolving this pain point is where Popsicle Finance’s Sorbetto Fragola product fits in.
For a small fee, users can simply deposit their crypto holdings into Fragola, and the protocol will deploy those holdings into the most lucrative liquidity pool.
It’s sort of like a robo-advisor for a niche crypto project.
Unfortunately, Fragola’s sweet promise of simplicity has been soured by security concerns. One user in the project’s Discord said that they “did not lose absolutely everything, but 6 figures and it does hurt.” Another reported losing “like 40%” of their portfolio from the exploit.
The project’s native token, ICE, has also crashed by more than 26% at press time, according to CoinGecko.
As for next steps, Popsicle Finance has urged users to remove holdings from the ETH/AXS, ETH/SLP, ETH/LINK, and EURt pools as soon as possible.
1/
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance’s contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
— Popsicle Finance (@PopsicleFinance) August 4, 2021
Hacks, exploits, and rug pulls are all par for the course in the wild west of DeFi. Popsicle Finance may be the latest, but it certainly wasn’t the first.
And it definitely won’t be the last.