Popsicle Finance Hack 2021 — $25M Exploit Analysis

Popsicle Finance lost $25M due to a logic flaw in fee accrual calculations that allowed an attacker to claim inflated fees from liquidity pools.

Details

Full Description

The attacker exploited a flaw in Popsicle Finance's fee accrual logic. The protocol incorrectly calculated fee entitlements when liquidity was added, failing to account for already-accrued fees. By repeatedly adding liquidity and claiming fees, the attacker could claim far more than their fair share, draining the protocol's accumulated fee reserves across multiple chains.

Laundering Analysis

Stolen funds converted to ETH and stablecoins via DEX aggregators. ETH moved through Tornado Cash across multiple deposits. Popsicle Finance team published a post-mortem and launched a compensation fund. The attacker was never identified. Multiple chains affected simultaneously, complicating tracking efforts.

Sources

Related Hacks

Back to Browse