‘Audited’ DeFi project Popsicle Finance gets exploited for $21 million
Multichain yield platform Popsicle Finance ($ICE) suffered a significant exploit today, resulting in a loss of $21 million.
Initial reports claim attackers took advantage of a flaw in the fee accounting mechanism, draining several tokens in the process.
What’s more, the protocol in question, Sorbetto Fragola, was audited by Peckshield. Arguably giving investors a false sense of confidence in the robustness of the smart contract.
“Sorbetto Fragola allows for users to provide funds, that are then used to liquidity provide (LP) on Uniswap V3, with the Popsicle strategy making sure that the funds are never outside of the LP range.”
This latest incident further calls into question the purpose of smart contract audits and whether they have any merit at all.
What happened with Popsicle Finance?
Peckshield published its audit of Sorbetto Fragola on GitHub on June 28. But strangely, that audit report seems to be missing pages from the start of the report.
Nonetheless, their smart contract code review turned up six coding bugs, four of which were classed as medium severity, one low severity, and one informational.
The report states five of the six bugs were fixed, with the medium severity issue of “Incorrect Amount Calculation In burnLiquidityShare()” being “Confirmed.”
The noted bugs did not mention flaws to do with fee accounting.
Popsicle Finance exploited, hacker drained ~$25m. The hack was complex but the bug was simple. TX Hash: https://t.co/CqyVvCq5I7Basically, Popsicle doesn't transfer the reward debt when users transfer their shares. This exposes multiple exploits, one of which was used here 🧵👇 pic.twitter.com/shdYdyemD9— Mudit Gupta (@Mudit__Gupta) August 4, 2021
In the post mortem of what happened, Peckshield said issues related to proper fee accounting enabled the hacker to collect rewards they were not entitled to. Repeating the process across seven other pools multiplied their gains.
“The hack was due to the lack of proper fee accounting when LP tokens are transferred. Specifically, the attacker creates three contracts A, B, and C and repeats in the sequences of A.deposit(), A.transfer(B), B.collectFees(), B.transfer(C), C.collectFees() for eight pools.”
The end result was a total loss of $20.7 million consisting of 2.6K WETH, 5.4M USDC, 5M USDT, 160K DAI,10K UNI, and 96 WBTC.
CipherTrace warn that DeFi fraud is at record levels
Blockchain analytics firm CipherTrace reports that while crypto crime is declining in 2021, DeFi fraud is at record levels.
For the four months to April 2021, crypto criminals stole $432 million, with 56% of that, or $240 million, coming from DeFi related crime.
The CEO of CipherTrace, Dave Jevans said as DeFi gets bigger, bad actors will continue to exploit inadequate smart contract security.
“…bad actors will seek to take advantage of the hype to draw people into scams and hackers will seek out projects that have launched without performing adequate security audits, exploiting loopholes encoded in the smart contracts.”
Peckshield concluded that Sorbetto Fragola had a “clearly organized” codebase, and that identified issues were fixed or confirmed. But this is little consolation for investors who lost money.Source