Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » Analysis » DeFi Project Popsicle Finance Suffers $25 Million Attack

DeFi Project Popsicle Finance Suffers $25 Million Attack

by

Popsicle Finance’s ICE token initially crashed 55% on the news.

DeFi Project Popsicle Finance Suffers $25 Million Attack
Shutterstock cover by Sahara Prince

Key Takeaways

  • Popsicle Finance has been hacked, with attackers draining approximately $25 million.
  • The attacker tricked the Fragola liquidity manager into paying out large amounts of Ethereum.
  • The attack on Popsicle Finance was bigger than all previous hacks in July combined.

Share this article

Yield optimization platform Popsicle Finance has been attacked, with hackers draining around $25 million of Ethereum from the Sorbetto Fragola liquidity manager. 

Popsicle Finance Hacked

Popsicle Finance is the latest DeFi protocol to fall victim to hackers. 

A hacker looks to have exploited a smart contract in the platform’s Sorbetto Fragola liquidity manager. Fragola allows users to optimize yields on Uniswap V3, automatically choosing the best ranges to ensure the highest yield. However, a bug in the smart contract allowed a hacker to trick the contract into paying out yield from the day it was launched instead of when the hacker allocated funds to it. This resulted in the hacker being able to repeatedly drain large amounts of Ethereum, using the same exploit on multiple accounts. In total, it is estimated that the attack cost users approximately $25 million.   

The hack was first brought to attention by a Popsicle Finance team member operating under the alias @danielesesta Tuesday evening. 

Since then, Popsicle Finance has disclosed the hack, urging users to immediately remove funds from the affected pools. @danielesesta has also offered the attacker $1 million “in completely clean money” for the safe return of the funds. 

While all DeFi applications hold some inherent risk of being hacked, Popsicle Finance appeared to be taking the necessary precautions. The platform’s smart contracts had previously undergone two separate audits from CertiK and Peckshield, with both coming back without any critical issues. 

Mudit Gupta, a core developer for the DeFi “blue chip” SushiSwap, weighed in on the situation on Twitter. He explained that while the hack was complex to conduct, the bug in the code was simple. Gupta himself earned a $10,000 bounty for identifying the same bug in the smart contracts of DeFi protocol WildCredit in June. 

Commenting on Popsicle Finance’s multiple audits, Gupta tweeted

“To be fair, auditors are humans and things can slip up. It is fair to expect that this bug will be caught, but there is no guarantee.”

Popsicle Finance follows a long list of DeFi platforms to fall victim to hacks recently. At the start of July, cross-chain bridge ChainSwap suffered two hacks, resulting in almost $9 million worth of losses. Later in the month, hackers attacked Polygon yield farm PolyYeld, crashing its YELD farm token to zero. Additionally, the decentralized liquidity network THORChain has been exploited three times since June, with attackers making off with over $13 million. The recent attack on Popsicle Finance was severe in comparison, with more value lost than all previous hacks in July combined. 

On the news of the hack going public, Popsicle finance’s ICE token crashed in value, initially dropping over 55%. It has since recovered but is still down 30% from yesterday’s price. Despite the exploit, investors still seem to have confidence in Popsicle Finance and are buying the dip. The same dip-buying occurred after THORChain’s last hack, with the project’s RUNE token recording a major rebound from its post-hack lows. 

Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and SUSHI.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.