Popsicle Finance ($ICE), a multichain yield optimization platform for liquidity providers has become the latest Defi protocol to face a major exploit on its network. The hackers managed to drain a whopping $25 million by exploiting a bug in the reward debt mechanism.
Mudit Gupta, a known bug bounty hunter explained that the protocol doesn’t transfer reward debt when users send their share of tokens. The network updates `token0PerSharePaid` and `token1PerSharePaid` against depositors to keep track of the deposited tokens. This way the protocol payout users from the date they entered rather than from the first day. However, the bug here is that these variables are not updated as soon as the user deposits tokens into the system.
This way a user can claim rewards for the same share from multiple accounts as it is not registered on the network. This was what the explorers did with the Popsicle finance and managed to get away with $25 million worth of tokens.
Gupta highlighted that the bug is not new and has been exploited a dozen times on other protocols as well. He himself had reported the same bug in June.
In June, I reported the same bug in WildCredit. This bug has been exploited in like a dozen other protocols already. Auditors and Smart contract devs need to keep up with the ecosystem. This code should not have made it to production.
Popsicle Finance acknowledged the hack on its network but assured that only the Fragola contract was breached and rest all contracts are completely secure. They also advised traders to remove any funds from ETH/AXS, ETH/SLP, ETH/LINK, or any EURt Pool immediately.
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance's contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
— Popsicle Finance (@PopsicleFinance) August 4, 2021
$ICE Price Nose Dive by 50%
The exploit had an immediate impact on the price of the native token called ICE which fell by 50%. The price of the ICE token nose-dived from a daily high of $2.31 to a daily of $0.931 before recovering up to $1.15.
The popularity of defi and the launch of new projects with instant success has made it one of the biggest attractions for exploiters. Only last month Polygon-based Safedollar was exploited as well that saw its price crash to zero.