$25 Million Popsicle Finance Exploit
The Intelligent Insurer #27 - Hacker exploits common bug in DeFi protocol to drain $25 million from users - Insured Finance Development Update
Popsicle Finance has joined the long list of decentralized finance (DeFi) projects that have suffered an exploit in 2021. By taking advantage of a bug in the protocol’s smart contract, hackers were able to steal $25 million, resulting in an initial 50% slump in the price of the platform’s native token ICE.
The Popsicle Finance attack was possible due to a bug in the reward debt mechanism of the protocol’s smart contract. Attackers were able to claim rewards by moving their funds while the contracts lagged when updating that the funds had been moved. We will go into further detail about the attack below. However, more concerning is the fact that this is not the first time this bug has been identified. A bug bounty hunter estimates that the bug is present in roughly a dozen protocols.
The development should raise concerns among DeFi investors as their funds are at risk of what happened on Popsicle Finance. In the latest Intelligent Insurer, we explain the Popsicle Finance attack while also detailing how investors can protect against such risks. However, before covering the attack, we present our weekly development update.
Insured Finance Development Update
As this week’s update will highlight, we made significant progress on many of the tasks that were outlined in last week’s update. We are close to fully finalizing many important functions of the marketplace and have identified some important tasks to be completed over the following weeks. We will also continue to place a strong emphasis on reviewing and refining the codebase.
✔️ Updates from last week:
Last week, we noted that we were continuing towards developing a bridge between the Goerli and Mumbai testnet for the INFI token. This bridge has now been fully developed and we are awaiting approval from external auditors.
We also noted that we had been working on the claims process for stablecoin devaluation. We have made significant progress on this milestone. We have finalized the claims submission and payout rules. We have completed the smart contract for the claims submission. The smart contract for the claims payout is still under development.
We also noted that we intended to integrate the front-end design and backend processes for various listing offers and deposit functionalities. In terms of listing offers we have fully integrated the frontend and backend and are currently addressing some bugs. For deposit functionalities, we have refined the frontend and will proceed with integration over the following week.
🗒️ Coming Up:
We have further frontend and backend integrations coming up over the following weeks. Pages that present information relating to user insurance coverage and pages related to insurance requests will be integrated.
We intend to carry out an internal test over the following weeks to identify any bugs that may be present in the current codebase. We have also identified some small bugs that need to be addressed in a recent review.
We will continue to monitor the overall performance and security of the Insured Finance marketplace to ensure that it offers a secure and easy-to-use insurance solution.
Insured Finance is committed to being the leading insurance solution for digital asset users. As our updates highlight, we have been making strong progress on the platform while consistently reviewing the codebase to ensure that any bugs are quickly addressed. As we continue to make strong development progress, users can be assured of an intuitive and secure insurance solution.
Popsicle Finance bug present in other DeFi protocols
Popsicle Finance is a DeFi farming platform that allows liquidity providers to access the best yields across multiple blockchains. Liquidity providers can put their capital on “auto-pilot” and allow Popsicle Finance to allocate it to the highest-yielding segments of the DeFi market.
However, a bug in the platform’s code resulted in a level of inconsistency in tracking users’ deposits. An attacker was able transfer funds to new addresses and claim rewards while the withdrawal from the previous address did not immediately update. The attacker exploited the bug to the tune of $25 million.
The bug was exploited on August 3rd and Popsicle Finance quickly advised traders to remove their funds from ETH/AXS, ETH/SLP, ETH/LINK, or any EURt Pool immediately. The price of Popsicle Finance’s native token ICE subsequently plummeted leading to a two-day decline of roughly 40%.
More concerning, a similar attack was reported in June by bug bounty hunter Mudit Gupta. Gupta pointed out that the same bug was present in lending protocol WildCredit. Gupta further notes that the bug is present in roughly a dozen other DeFi protocols.
WildCredit @WildCredit$10k has been awarded to @Mudit__Gupta for finding a bug in the RewardDistribution contract involving snapshotAccount function which would lead to the loss of all stored rewards. The bounty remains open for all other qualified bugs. https://t.co/8We72JgZBo
Holders with insurance are eligible for compensation.
Not every Popsicle Finance user will suffer the full extent of the attack. Those who secured insurance against Popsicle Finance exploits will be eligible for a full compensation of their lost funds. Some insurers have even reached out to users to let them know that they are eligible for this compensation.
Digital asset insurance is a rapidly growing segment of the cryptocurrency market. Such solutions are becoming increasingly pertinent as emerging protocols continue to be hacked. The prevalence of identical bugs across several DeFi protocols, as highlighted by Mudit Gupta, only further emphasizes the need for insurance solutions. DeFi is still evolving and will remain a high-risk technology as it continues to innovate.
For DeFi investors who are seeking to employ digital asset insurance solutions, Insured Finance is positioning itself to be a premier option. It is the first two-sided marketplace which allows users to secure coverage that is completely tailored to their holdings.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.