Popsicle Finance, a decentralized market maker, has been hit by a $20 million exploit caused by a “simple” bug. This adds to the more than 20 DeFi hacks that have occurred this year, bringing the total haul to more than $310 million.
“We are aware of the current Fragola exploit. We will conduct an investigation and publish a post mortem report. The remaining Popsicle Finance contracts have not been used. If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK, or any EURt Pool, please withdraw them as soon as possible “Popsicle Finance tweeted. (Fragola is a tool that helps liquidity providers maximize trading fee earnings by providing liquidity.)
The perpetrator allegedly borrowed $30 million in tether (USDT) and $32 million in ether via flash loans, in which tokens are borrowed, used for some function, and repaid all in the same transaction (ETH). This was used to maximize the attack’s impact.
“The hack was complex, but the bug was simple,” says SushiSwap core developer Mudit Gupta. He explained that the contract, under certain conditions, allowed anyone to receive rewards from much further back in time than they should have. It also allowed the perpetrator to claim rewards for the same shares multiple times.
Gupta went on to say that this was a fairly common bug that had been exploited in a dozen other protocols prior to this attack.