Hacker drains over $20M in latest exploit
Popsicle Finance, a cross-chain decentralized finance app, and market maker was hacked in a cyberattack yesterday resulting in $20.7 million being drained from one of its liquidity pools. The hacker made off with over $20 million in various cryptocurrency tokens including around $10 million in USDC and USDT. According to an announcement on Wednesday 4th August, the exploit affected Popsicle’s UniswapV3 optimizer pool whilst other contracts were left unaffected.
Like any good tragedy story, things started off so smoothly. The protocol recently took to Twitter to celebrate the launch of its Sorbetto (UniswapV3) pool announcing that it had earned $1 million in fees for liquidity providers. Additionally announcing that they had reached a landmark $30 million in total value locked in just three days.
Fast-forward a week and the Twitter feed tells a very different story. Furthermore, upon the announcement, the price of the platform’s native ICE token slipped over 55%. However, it does now seems to be in recovery.
Mundit Gupta, a member of the SushiSwap security team took to Twitter to explain in a detailed thread what had happened with a strong claim that while the hack was complex the bug in the system was simple. Moreover, avoidable. In a nutshell, Popsicle Finance doesn’t transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used. The main bug is that these variables are not updated when the user transfers their share to a different address. The new address is eligible to claim rewards from day zero rather than from when the user deposited their tokens. This is what the attacker did.
Mundit went on to explain further that this bug also allows the user to keep transferring the shares and claiming rewards for the same shares multiple times using different accounts. Overall stating that while this is a relatively straightforward bug but it’s surprisingly common and that the developers or auditors should have caught this in reviews. Worst of all for Mundit and the affected parties this is not the first time he has drawn attention to this flaw in the system.
It appears rather than his warning being heeded by developers it may have actually spurred on the hackers to discover more opportunities where this bug lay hidden.
To put these exploits into perspective a bit more it is always worth remembering that the world of decentralized exchanges and DeFi is merely a few years old. While the arguably most capital-efficient decentralized exchange, Uniswap V3, was only launched 3 months ago. DeFi is evolving and as such presents opportunities for those with know-how. Obviously, this is not the first major exploit of 2021 and we are certain it won’t be the last. What is perhaps most vital is how Popsicle deals with the aftermath and any reimbursements.
The above does not constitute investment advice. The information given here is purely for informational purposes only. Please exercise due diligence and do your research. The writer holds positions in ETH, BTC, ADA, NIOX, AGIX, MANA, SAFEMOON, SDAO, CAKE, HEX, LINK, GRT, CRO, SHIBA INU, AND OCEAN.