Home > CryptoNews > DeFi News > Popsicle Finance DeFi Platform Suffers $20M Flash Loan Exploit

Popsicle Finance DeFi Platform Suffers $20M Flash Loan Exploit

Popsicle Finance DeFi Platform Suffers $20M Exploit

Popsicle Finance DeFi platform is the latest victim of DeFi crimes as it suffered a $20 million flash loan exploit on Wednesday.

Popsicle Finance, a multi-chain yield optimization platform for liquidity providers, on Wednesday, August 4, announced that its Sorbetto Fragola, a Uniswap V3 LP optimizer and autopilot, was hacked and the attacker was able to get away with $20.7 million in users funds.

According to a post-mortem report released on Wednesday, this was a flash loan attack. The attack affected Popsicle’s Sorbetto Fragola pool, a Uniswap V3 LP optimizer. The report describes the working of this pool as a five-step procedure.

  • When a user deposits funds to the Sorbetto Fragola pool, funds straight to UniV3.
  • “Popsicle Liquidity Provider (PLP) shares are then given to the user.”
  • This contract is given info about the user, how much he put in, and states when he deposited.”
  • “The contract checks the user’s position and how much fees he has earned proportionally to the total pool.”
  • “The contract gives out the fees based on the set parameters.”

The attacker exploited the third step, the state function.

According to SushiSwap developer Mudit Gupta, the attack was a complex one but was due to a simple commonly known bug that should have been caught. When a user deposits funds, the Fragola contract updates token0PerSharePaid and token1PerSharePaid against his account to keep track of when he deposited the tokens. This allows the contract to pay the user the fees from the direct state.

According to Mudit Gupta:

The report reads:

“The hacker made the contract believe that he earned as many fees as the total TVL of the pool and thus is entitled to the $20.7m that was in the pool. This hack was only possible because everything happened within one transaction (due to flashloan).”

According to another explanation by a Twitter user Kenrick, the hacker took a flash loan of $30 million in Tether (USDT) and 13K ETH from Aave and then deposited these funds into Popsicle Sorbetto Fragola pool. By exploiting the bug, the perpetrator claim rewards multiple times for the same shares.


The attacker first swapped the stolen funds with ETH and then laundered them with Tornado.Cash.

If you found this article interesting, here you can find more DeFi News