Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.
The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.” In a Twitter thread, Gupta also explained how he reported a similar bug in another protocol, adding that the error “has been exploited in like a dozen other protocols already.”
Popsicle Finance is a decentralized finance (DeFi) protocol with a suite of different products that allow users to automate yield on their crypto holdings. The specific product that has been attacked is called Sorbetto Fragola, which is Italian for "strawberry sorbet."
How the exploit worked
In Uniswap’s latest iteration, liquidity providers are allowed to set specific price parameters within which they’d like to add liquidity. If, for instance, you think that the price of Ethereum will continue to trade between $2,450 and $2,700 as it's done for the past week, then you’d be inclined to add liquidity to this specific range.
This is because Uniswap pays liquidity providers a portion of the proceeds of all trade fees generated. The most common trading fee is 0.3%, but this can be adjusted.
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7
Basically, Popsicle doesn't transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9
The feature also means that Uniswap users are now incentivized to optimize their liquidity provision as accurately as possible—as Ethereum leaves a trading range, users will need to adjust their price parameters. This benefits them, as they earn more money from trading fees, but also traders who want to draw from a deep pool and avoid price slippage.
Naturally, the race to optimize can be cumbersome if not an outright headache for laypeople. Resolving this pain point is where Popsicle Finance’s Sorbetto Fragola product fits in.
Uniswap v3’s liquidity provision interface. The range for this particular position is from 2,445.5 USDT to 2,691.9 USDT and has a fee of .3%. Source: Uniswap
For a small fee, users can simply deposit their crypto holdings into Fragola, and the protocol will deploy those holdings into the most lucrative liquidity pool.
It’s sort of like a robo-advisor for a niche crypto project.
Unfortunately, Fragola’s sweet promise of simplicity has been soured by security concerns. One user in the project’s Discord said that they “did not lose absolutely everything, but 6 figures and it does hurt.” Another reported losing “like 40%” of their portfolio from the exploit.
The project's native token, ICE, has also crashed by more than 26% at press time, according to CoinGecko.
As for next steps, Popsicle Finance has urged users to remove holdings from the ETH/AXS, ETH/SLP, ETH/LINK, and EURt pools as soon as possible.
1/
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance's contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
Hacks, exploits, and rug pulls are all par for the course in the wild west of DeFi. Popsicle Finance may be the latest, but it certainly wasn’t the first.
And it definitely won’t be the last.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Bitcoin-backed loans are now available for Strike's American customers, the payment app's CEO announced Tuesday.
Strike boss Jack Mallers posted a video on X explaining the new service. Customers from a total of 26 U.S. states are eligible to secure loans starting from between $75,000 to $100,000, depending on the state, the firm's website says.
Mallers said that the service will soon be available in other regions, including Europe.
Announcing Strike Lending
You shouldn’t have to sell the bes...
Publicly traded AI-powered real estate software company DeFi Development Corp. (formerly Janover) added to its flurry of strategic Solana moves Tuesday by announcing that it purchased another $11.2 million worth of SOL—one day after it announced the acquisition of a Solana validator company.
The firm’s latest purchase added 82,405 SOL at an average price of $135.58, bringing its total Solana holdings to more than 400,000 tokens valued above $58 million.
“The SOL stackin' saga continues!” the co...
Citigroup will join with Switzerland's Six Digital Exchange to offer tokenized shares in pre-IPO companies, with a start date in this year’s third quarter, the multi-national banking firms said Tuesday in a press release.
Citi will tokenize and custody companies’ shares on the exchange, bringing "high-growth, venture-backed private companies" to institutional investors on SDX’s platform, according to their joint statement. The tokenization of those assets will simplify liquidity management for...
