Popsicle Finance, a multi-chain yield-generating crypto project, has melted under the heat of a new exploit.
The $25 million heist was revealed by security researcher Mudit Gupta, who said “the hack was complex but the bug was simple.” In a Twitter thread, Gupta also explained how he reported a similar bug in another protocol, adding that the error “has been exploited in like a dozen other protocols already.”
Popsicle Finance is a decentralized finance (DeFi) protocol with a suite of different products that allow users to automate yield on their crypto holdings. The specific product that has been attacked is called Sorbetto Fragola, which is Italian for "strawberry sorbet."
How the exploit worked
In Uniswap’s latest iteration, liquidity providers are allowed to set specific price parameters within which they’d like to add liquidity. If, for instance, you think that the price of Ethereum will continue to trade between $2,450 and $2,700 as it's done for the past week, then you’d be inclined to add liquidity to this specific range.
This is because Uniswap pays liquidity providers a portion of the proceeds of all trade fees generated. The most common trading fee is 0.3%, but this can be adjusted.
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7
Basically, Popsicle doesn't transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9
The feature also means that Uniswap users are now incentivized to optimize their liquidity provision as accurately as possible—as Ethereum leaves a trading range, users will need to adjust their price parameters. This benefits them, as they earn more money from trading fees, but also traders who want to draw from a deep pool and avoid price slippage.
Naturally, the race to optimize can be cumbersome if not an outright headache for laypeople. Resolving this pain point is where Popsicle Finance’s Sorbetto Fragola product fits in.
Uniswap v3’s liquidity provision interface. The range for this particular position is from 2,445.5 USDT to 2,691.9 USDT and has a fee of .3%. Source: Uniswap
For a small fee, users can simply deposit their crypto holdings into Fragola, and the protocol will deploy those holdings into the most lucrative liquidity pool.
It’s sort of like a robo-advisor for a niche crypto project.
Unfortunately, Fragola’s sweet promise of simplicity has been soured by security concerns. One user in the project’s Discord said that they “did not lose absolutely everything, but 6 figures and it does hurt.” Another reported losing “like 40%” of their portfolio from the exploit.
The project's native token, ICE, has also crashed by more than 26% at press time, according to CoinGecko.
As for next steps, Popsicle Finance has urged users to remove holdings from the ETH/AXS, ETH/SLP, ETH/LINK, and EURt pools as soon as possible.
1/
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance's contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
Hacks, exploits, and rug pulls are all par for the course in the wild west of DeFi. Popsicle Finance may be the latest, but it certainly wasn’t the first.
And it definitely won’t be the last.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Crypto asset manager Canary Capital has applied for an exchange-traded fund tracking Cronos (CRO), the token affiliated with the Crypto.com exchange, according to a filing with the U.S. Securities and Exchange Commission on Friday.
The S-1 registration form marks Canary Capital’s latest step toward potentially debuting its Canary Stake CRO ETF in the U.S. and adds to the growing list of altcoin-based funds before the regulator.
The issuer registered a Delaware Trust entity earlier this month, l...
Just three days after debuting a multi-billion dollar fundraising plan to purchase Bitcoin, President Donald Trump’s Trump Media & Technology Group announced Friday that it has successfully raised $2.4 billion for its crypto treasury.
The funds were raised via an offering of common stock and convertible senior secure notes, the company said. Roughly 50 institutional investors participated in the sale, which produced $2.32 billion in net proceeds.
Those funds will now be used to create a Bitcoi...
How do you save an ailing publicly traded company in 2025? One answer, and an increasingly popular one at that, is: pivot to crypto—or more specifically, become a crypto treasury company.
The previously unknown online gambling marketer SharpLink Gaming did just that earlier this week, when it announced it had raised $425 million in investment to establish an Ethereum treasury. It was a notable departure from the more common route of building a Bitcoin treasury, with Ethereum being the second lar...
