Popsicle Finance lost $25M due to a logic flaw in fee accrual calculations that allowed an attacker to claim inflated fees from liquidity pools.
The attacker exploited a flaw in Popsicle Finance's fee accrual logic. The protocol incorrectly calculated fee entitlements when liquidity was added, failing to account for already-accrued fees. By repeatedly adding liquidity and claiming fees, the attacker could claim far more than their fair share, draining the protocol's accumulated fee reserves across multiple chains.
Stolen funds converted to ETH and stablecoins via DEX aggregators. ETH moved through Tornado Cash across multiple deposits. Popsicle Finance team published a post-mortem and launched a compensation fund. The attacker was never identified. Multiple chains affected simultaneously, complicating tracking efforts.