Popsicle Finance $25 million bug has been used to exploit a dozen protocols so far
Popsicle Finance has become the latest DeFi protocol to be affected by a bug that has enabled hackers to extract $25 million by exploiting the reward debt mechanism.
The bug bounty hunter and security researcher expert Mudit Gupta said that this bug in not a new exploit, and that it has been used lots of times to exploit other protocols. He said that he had reported the bug back in June, having been found in WildCredit.
The way the bug worked was that variables that kept track of deposits, were not updated by the system the moment that they were made. This enabled a nefarious actor to claim rewards from the same shares using multiple accounts.
Popsicle Finance has admitted that its Fragola contract was breached and has advised traders to remove all funds from ETH/AXS, ETH/SLP, ETH/LINK, or any EURt Pool as soon as possible.
The team does say the rest of the contracts on Popsicle Finance are completely safe and remain unaffected. The team has also now published a post mortem of the event.
According to Coin Gecko, $ICE, the token for Popsicle Finance, is trading 35% down over the last 24 hours. This brings the price down from $2.25 to its current price of $1.45.