VERDICT —UNRATED
Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.
▰ METHOD
Undisclosed
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
▰ PROOF OF CONCEPT
DEFIHACKLABS
src/test/2021-08/Popsicle_exp.sol
view forked test on github ↗Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Forensic narrative
Popsicle Finance, a multi-chain revenue optimization platform, was attacked. The core of this vulnerability is that the same PLP certificate can bring benefits to multiple holders at the same time node due to the defect in the reward update record. Attack method (per SlowMist): Reward Mechanism Flaw. Reported loss: $ 20,000,000.
Primary source
https://popsiclefinance.medium.com/popsicle-finance-post-mortem-after-fragola-hack-f45b302362e0 ↗Sourced from
slowmist
Technical record
- chain
- —
- protocol
- Popsicle Finance
- bug_class
- unknown
- date_occurred
- 2021-08-04
- loss_usd
- $20,000,000
- source_id
- sm:popsicle-finance::2021-08-04
Related — same bug class