Popsicle Finance, a multi-chain yield optimization platform for liquidity providers, on Wednesday, August 4, announced that its Sorbetto Fragola, a Uniswap V3 LP optimizer and autopilot, was hacked and the attacker was able to get away with $20.7 million in users funds.
We are aware of the current exploit to Fragola. We will investigate and publish post mortem.
The other Popsicle Finance's contracts have not been exploited.
If you still have funds in the ETH/AXS, ETH/SLP, ETH/LINK or any EURt Pool please remove them immediately.
— Popsicle Finance (@PopsicleFinance) August 4, 2021
According to a post-mortem report released on Wednesday, this was a flash loan attack. The attack affected Popsicle’s Sorbetto Fragola pool, a Uniswap V3 LP optimizer. The report describes the working of this pool as a five-step procedure.
- When a user deposits funds to the Sorbetto Fragola pool, funds straight to UniV3.
- “Popsicle Liquidity Provider (PLP) shares are then given to the user.”
- “This contract is given info about the user, how much he put in, and states when he deposited.”
- “The contract checks the user’s position and how much fees he has earned proportionally to the total pool.”
- “The contract gives out the fees based on the set parameters.”
The attacker exploited the third step, the state function.
According to SushiSwap developer Mudit Gupta, the attack was a complex one but was due to a simple commonly known bug that should have been caught. When a user deposits funds, the Fragola contract updates token0PerSharePaid and token1PerSharePaid against his account to keep track of when he deposited the tokens. This allows the contract to pay the user the fees from the direct state.
According to Mudit Gupta:
The bug in Popsicle is that these variables are not updated when the user transfers their share to a different address. The new address is eligible to claim rewards from day 0 rather than from when the user deposited their tokens. This is what the attacker did.
— Mudit Gupta (@Mudit__Gupta) August 4, 2021
The report reads:
“The hacker made the contract believe that he earned as many fees as the total TVL of the pool and thus is entitled to the $20.7m that was in the pool. This hack was only possible because everything happened within one transaction (due to flashloan).”
According to another explanation by a Twitter user Kenrick, the hacker took a flash loan of $30 million in Tether (USDT) and 13K ETH from Aave and then deposited these funds into Popsicle Sorbetto Fragola pool. By exploiting the bug, the perpetrator claim rewards multiple times for the same shares.
1. Deploys 3 contracts
2. Flashloans 30m USDT + 13k ETH + etc from @AaveAave
3. Calls deposit, transfer, collectFees(…), and withdraw pic.twitter.com/juGYv8Gkg0
— kendrick (@kendrick_tn) August 4, 2021
The attacker first swapped the stolen funds with ETH and then laundered them with Tornado.Cash.