Decentralized market maker Popsicle Finance has been hit by a $20 million exploit, due to a “simple” bug. This adds to the list of more than 20 DeFi hacks that have happened so far this year, pushing the total haul north of $310 million.
“We are aware of the current exploit to Fragola. We will investigate and publish post mortem. The other Popsicle Finance’s contracts have not been exploited. If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately,” tweeted Popsicle Finance. (Fragola is a tool that provides liquidity and helps liquidity providers maximize trading fee earnings.)
The perpetrator reportedly used flash loans — where tokens are borrowed, used for some function and repaid all in the same transaction — to borrow some $30 million in tether (USDT) and $32 million in ether (ETH). This was used to maximise the impact of the attack.
According to SushiSwap core developer Mudit Gupta, “the hack was complex but the bug was simple.” He explained that, under certain conditions, the contract was allowing anyone to receive rewards from much further back in time than they should have. It also let the perpetrator claim rewards multiple times for the same shares.
Gupta added that this was a rather common bug that has been exploited in around a dozen other protocols prior to this attack.