Computer security expert Mudit Gupta described the bug as simple but the hack as complex. The specialist commented that the platform’s auditors should have detected the problem but could have failed.
DeFi platform Popsicle Finance, a decentralized market maker, recently suffered a hack that caused it to lose about USD 20.7 million. The criminals took advantage of the fact that the code distributing profits and rewards to users was vulnerable. Popsicle offered to give the hacker USD 1 million for returning the funds to prevent people from leaving.
Twitter user Mudit Gupta unofficially reported that the hack was complex while the bug was simple. This security and Ethereum expert explained that an update in a code used during token deposits on the platform caused the exploit/bug. The code in question should have recorded, in the smart contract, the moment of depositing the subsequent payment of rewards.
Gupta said that the variables in this code receive an update when a user takes their shares to another address. That allows the new address to claim rewards from day zero instead of when the user deposited his tokens. The tweeter said that the hacker did this to steal USD 20.7 million, which constitutes 85% of the Sorbetto Fragola pools.
The most prominent stolen cryptocurrencies included 5 million Tether (USDT) and the same amount of USD Coin (USDC), in addition to 160,000 DAI (DAI). If the hacker returned the funds to the platform, they would pay him the reward in the cryptocurrency that he wanted.
Additionally, the bug allows the criminal to keep transferring earnings and claiming rewards multiple times by using different accounts. Gupta described this bug as relatively simple but surprisingly common.
Finally, the computer scientist commented that the auditors of Popsicle Finance should have detected these problems in their reviews. However, he said that they are human and could have made a mistake. The expert believes that the hash of the malicious transaction may be on the Etherscan website.
DeFi Platforms Are a Recurring Target
During 2020 and 2021, decentralized finance platforms (DeFi) have been the victims of many hacks. One of the most relevant attacks against these platforms this year was the case of Pancake Bunny, which lost USD 45 million.
The methods for committing these crimes are not always related to pure computer science. In recent days, the US Securities and Exchange Commission (SEC) succeeded in shutting down the operations of an alleged DeFi service provider. However, the latter had the sole purpose of scamming their investors and customers by promising returns that they would never give them.
Due to the proliferation of DeFi platforms, there is fertile ground for such scams. For that reason, investors should trade only with well-known and reputable protocols. Likewise, developers must put their skills to the test to create more tools that increase security levels. In that way, they would be protecting both the platforms and their users, ensuring greater trust in digital investments.
By Alexander Salazar
