Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.
The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.” In a Twitter thread, Gupta also explained how he reported a similar bug in another protocol, adding that the error “has been exploited in like a dozen other protocols already.”
Popsicle Finance is a decentralized finance (DeFi) protocol with a suite of different products that allow users to automate yield on their crypto holdings. The specific product that has been attacked is called Sorbetto Fragola, which is Italian for "strawberry sorbet."
How the exploit worked
In Uniswap’s latest iteration, liquidity providers are allowed to set specific price parameters within which they’d like to add liquidity. If, for instance, you think that the price of Ethereum will continue to trade between $2,450 and $2,700 as it's done for the past week, then you’d be inclined to add liquidity to this specific range.
This is because Uniswap pays liquidity providers a portion of the proceeds of all trade fees generated. The most common trading fee is 0.3%, but this can be adjusted.
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7
Basically, Popsicle doesn't transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9
The feature also means that Uniswap users are now incentivized to optimize their liquidity provision as accurately as possible—as Ethereum leaves a trading range, users will need to adjust their price parameters. This benefits them, as they earn more money from trading fees, but also traders who want to draw from a deep pool and avoid price slippage.
Naturally, the race to optimize can be cumbersome if not an outright headache for laypeople. Resolving this pain point is where Popsicle Finance’s Sorbetto Fragola product fits in.
Uniswap v3’s liquidity provision interface. The range for this particular position is from 2,445.5 USDT to 2,691.9 USDT and has a fee of .3%. Source: Uniswap
For a small fee, users can simply deposit their crypto holdings into Fragola, and the protocol will deploy those holdings into the most lucrative liquidity pool.
It’s sort of like a robo-advisor for a niche crypto project.
Unfortunately, Fragola’s sweet promise of simplicity has been soured by security concerns. One user in the project’s Discord said that they “did not lose absolutely everything, but 6 figures and it does hurt.” Another reported losing “like 40%” of their portfolio from the exploit.
The project's native token, ICE, has also crashed by more than 26% at press time, according to CoinGecko.
As for next steps, Popsicle Finance has urged users to remove holdings from the ETH/AXS, ETH/SLP, ETH/LINK, and EURt pools as soon as possible.
1/
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance's contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
Hacks, exploits, and rug pulls are all par for the course in the wild west of DeFi. Popsicle Finance may be the latest, but it certainly wasn’t the first.
And it definitely won’t be the last.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Kraken launched a regulated crypto futures platform for U.S. clients Thursday, coinciding with the House's passage of sweeping digital asset legislation that could transform and reshape the industry's legal footing.
Offered through Kraken Derivatives U.S., the new service allows American users to trade CME-listed Bitcoin and Ethereum contracts along with spot crypto assets on Kraken Pro, marking Kraken’s first foray into U.S.-regulated derivatives.
The launch is a “meaningful step” that could gi...
Shares of electric vehicle maker Volcon soared nearly 135% on Thursday after the company announced that it would raise $500 million to kick-start a Bitcoin treasury, joining a growing number of firms building BTC treasuries as a major component of their corporate strategies.
The firm has entered into an agreement to sell 50,142,851 shares of its common stock at $10 per share through a private placement, according to the statement. The firm will use 95% of the roughly $500 million it raises to b...
Publicly traded firm Bit Origin, which is focused on Bitcoin mining infrastructure and investments, is raising $500 million to buy leading meme coin Dogecoin (DOGE) as it builds its own digital assets treasury.
The firm entered into agreements to sell up to $400 million in Class A ordinary shares, as well as up to $100 million in convertible debt.
“Bit Origin is evolving beyond mining infrastructure to engage directly in the value and utility of digital assets,” said Bit Origin Chairman Jinghai...
