Hacker drains more than $20 million from the Popsicle Finance DeFi protocol

The DeFi project Popsicle Finance was hacked, losing $20.7 million.

Popsicle Sorbetto Fragola, our Uniswap V3 optimizer last night was hacked.

Thanks to all that supported us in the last hours, and in general to our unbelievable community that continuously makes us want to deliver!

Here is our Post Mortem: https://t.co/DuXMNos9td

— Popsicle Finance (@PopsicleFinance) August 4, 2021

A bug was found in the Sorbetto Fragola product of the project. It allows users to place assets in the most lucrative liquidity pools. According to the Popsicle Finance site, the solution was designed specifically for Uniswap v3, which introduced concentrated liquidity.

According to the DeFi protocol, the attacker drained 85% of the Sorbetto Fragola pools.

«The hacker forced the contract to believe that he earned as much in fees as the total amount of funds locked in the pool, and, on that basis, is entitled to $20.7 million held in the pool», the project said.

Subsequently, he swapped the proceeds for ETH on Uniswap, and then sent them to the Tornado.Cash mixing service to launder the funds, according to Popsicle Finance.

SushiSwap developer Mudit Gupta said that «the hack was complex, but the bug was simple». According to him, the attacker drained $25 million as a result of the attack.

Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7

Basically, Popsicle doesn’t transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9

— Mudit Gupta (@Mudit__Gupta) August 4, 2021

In return for the funds, Popsicle Finance offered the attacker $1 million «in any currency».

Deposits for all pools are blocked; the only pools eligible for withdrawal are AXS/ETH, YGG/USDC, LINK/ETH and all EURt pools. Users were urged to withdraw their funds from them.

The team pledged to outline a plan to compensate users for the losses later.

Earlier in July, the THORChain DeFi protocol team announced a suspension of operations after several hacking attacks.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.