A new attack on DeFi
Yesterday, Popsicle Finance, a multi-chain project dedicated to yield farming, announced that it had suffered a hack. The attacker would have exploited a bug in the algorithm to steal nearly $ 20 million.
This case thus joins the already provided list of attacks that have affected the decentralized finance sector (DeFi). Since the beginning of the year, there have been more than 20 hacks and a total amount of 310 million dollars stolen.
In a Twitter thread, security researcher Mudit Gupta detailed how the hacker proceeded to subtly exploit a flaw in the protocol.
Popsicle Finance exploited, hacker drained ~ $ 25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7
Basically, Popsicle doesn’t transfer the reward debt when users transfer their shares. This exhibits multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9
– Mudit Gupta (@Mudit__Gupta) August 4, 2021
The security expert explained in particular that he had already reported a similar bug in another program, specifying that this type of error “has already been exploited in a dozen other protocols”. According to him, in the case of Popsicle Finance, “the hack was complex but the bug was simple”.
👉 On the same theme – ChainSwap victim of a second attack in ten days – Token prices tumble
Popsicle Finance’s “strawberry sorbet”
In the Uniswap model, any user can become a liquidity provider for a given pair, like ETH / USDT for example. These are allowed to set a specific price range in which they would like to add liquidity, if they are confident that the asset will continue to move within that range.
The benefit is that Uniswap pays the liquidity providers a portion of all transaction fees generated. Usually they are 0.3%, although they can be adjusted higher.
However, the market is changing very quickly and liquidity providers are encouraged to optimize their offer as precisely as possible. If the asset goes out of the defined price range, the user must readjust their parameters to continue using the Uniswap protocol.
Logically enough, we are entering a race for optimization which can be heavy for neophytes. This is why Popsicle Finance created the product Sorbetto Fragola (“strawberry sorbet”, in Italian). So, users can simply deposit their cryptocurrencies into Fragola, and the algorithm will define the most lucrative cash pool in which to invest them.
👉 Find all the latest news on decentralized finance (DeFi)
Too tempting a solution?
Unfortunately, Popsicle Finance’s seemingly very profitable product has been tarnished by security concerns. On the social network Reddit, many people report having suffered immense losses. One of them even explains having already suffered “a 30% drop in the last few minutes,” before adding “Edict: now 50%”. In total, 4300 ETH has been drained from users’ pockets.
Within hours of the attack, the price of the project’s native token, ICE, plummeted by over 60%.
Fall in the price of ICE following the attack on the Popsicle Finance protocol – Source: TradingView
On Twitter, Popsicle asked its users to immediately withdraw their funds from all ETH / AXS, ETH / SLP, ETH / LINK pools or from all EURt-linked pairs.
👉 To go further – Biggest ransomware attack of all time – 70M dollars in Bitcoin (BTC) requested
Receive a recap of crypto news every Sunday 👌 And that’s it.
About the Author: Lilian Aliaga
Freelance writer located between Paris and Toulouse. I want to share my passion for the world of cryptocurrencies with as many people as possible. I am also interested in technical analysis and trading.
All articles by Lilian Aliaga.