Ad
News
‘Audited’ DeFi project Popsicle Finance gets exploited for $21 million ‘Audited’ DeFi project Popsicle Finance gets exploited for $21 million
🚨 This article is 3 years old...

‘Audited’ DeFi project Popsicle Finance gets exploited for $21 million

Another DeFi exploit rocks the cryptocurrency world leading to doubts on the value of smart contract audits.

‘Audited’ DeFi project Popsicle Finance gets exploited for $21 million

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Multichain yield platform Popsicle Finance ($ICE) suffered a significant exploit today, resulting in a loss of $21 million.

Initial reports claim attackers took advantage of a flaw in the fee accounting mechanism, draining several tokens in the process.

Popsicle finance hack
etherscan.io

What’s more, the protocol in question, Sorbetto Fragola, was audited by Peckshield. Arguably giving investors a false sense of confidence in the robustness of the smart contract.

“Sorbetto Fragola allows for users to provide funds, that are then used to liquidity provide (LP) on Uniswap V3, with the Popsicle strategy making sure that the funds are never outside of the LP range.”

This latest incident further calls into question the purpose of smart contract audits and whether they have any merit at all.

What happened with Popsicle Finance?

Peckshield published its audit of Sorbetto Fragola on GitHub on June 28.  But strangely, that audit report seems to be missing pages from the start of the report.

Nonetheless, their smart contract code review turned up six coding bugs, four of which were classed as medium severity, one low severity, and one informational.

The report states five of the six bugs were fixed, with the medium severity issue of “Incorrect Amount Calculation In burnLiquidityShare()” being “Confirmed.”

The noted bugs did not mention flaws to do with fee accounting.

In the post mortem of what happened, Peckshield said issues related to proper fee accounting enabled the hacker to collect rewards they were not entitled to. Repeating the process across seven other pools multiplied their gains.

“The hack was due to the lack of proper fee accounting when LP tokens are transferred. Specifically, the attacker creates three contracts A, B, and C and repeats in the sequences of A.deposit(), A.transfer(B), B.collectFees(), B.transfer(C), C.collectFees() for eight pools.”

popsicle finance exploit sequence
@peckshield on Twitter.com

The end result was a total loss of $20.7 million consisting of 2.6K WETH, 5.4M USDC, 5M USDT, 160K DAI,10K UNI, and 96 WBTC.

CipherTrace warn that DeFi fraud is at record levels

Blockchain analytics firm CipherTrace reports that while crypto crime is declining in 2021, DeFi fraud is at record levels.

For the four months to April 2021, crypto criminals stole $432 million, with 56% of that, or $240 million, coming from DeFi related crime.

The CEO of CipherTrace, Dave Jevans said as DeFi gets bigger, bad actors will continue to exploit inadequate smart contract security.

“…bad actors will seek to take advantage of the hype to draw people into scams and hackers will seek out projects that have launched without performing adequate security audits, exploiting loopholes encoded in the smart contracts.”

Peckshield concluded that Sorbetto Fragola had a “clearly organized” codebase, and that identified issues were fixed or confirmed. But this is little consolation for investors who lost money.

Posted In: DeFi, Hacks