#23 Food For Thought : Popsicles
This series is intended as an introduction to the world of Decentralized Finance by exploring its young but rich history.
This series is intended as an introduction to the world of Decentralized Finance by exploring it’s young but rich history. Today we will describe the recent events that lead to $20.7mm of investor funds being stolen, and most importantly what’s being done now after the hack.
If you enjoy the article please share with others.
Ice Cold - Popsicle.Finance
What are we talking about here? Lets first start with some background. We’ve been describing Uniswap and Sushiswap, which are Automated Market-Making (AMM) Liquidity Provider (LP) protocols. This means you can deposit say ETH and USDC on Uniswap or Sushiswap and their protocol will automatically perform a market making role as other users swap ETH for USDC or vice versa. We described how to become a Liquidity Provider in our How To DeFi Series.
Where does Popsicle.Finance fit into all this?
Here is the description from coingecko
A next-gen cross-chain yield enhancement platform focusing on Automated Market-Making (AMM) Liquidity Providers (LP)
And from popsicle.finance themselves
Popsicle Finance will manage liquidity across multiple chains in order to increase capital efficiency and automatically provide its users with the highest possible yield on the assets they wish to deploy to liquidity pools.
We hope that our products will not only help our users but that they will also provide a valuable service to the cryptocurrency ecosystems as a whole.
In laymen’s terms, they are building various protocols that interacts with the exiting AMMs like for example Uniswap’s new V3 protocol. The V3 protocol allows for a more sophisticated Liquidity Provider to fine tune their strategy. Popsicle.finance looks to optimize these new LP strategies in their Sorbetto Fragola product. You can read more about Sorbetto Fragola here. This new protocol is intended to be used by users looking to earn yield through optimized LP strategies on Uniswap V3, and as described above it is intended to become a new primitive in the DeFi world.
In order for Sorbetto Fragola to become a new DeFi primitive and “provide a valuable service to the cryptocurrency ecosystems as a whole” it must first and foremost be secure. The team who built Sorbetto Fragola had two separate audits from two different auditing companies, Peckshield & Certik.
Sounds great right?! Double audit and slick yield optimizing strategies. What could go wrong?
Melting ICE
On August 3rd, 2021 10:53 PM UTC time a hacker executed a transaction that managed to drain 85% of the Sorbetto Fragola (UniswapV3 Optimizer) pools.
Our friend Mr. White Hat (one of the many DeFi lone rangers - in this case BlockSecTeam) returns post mortem to tell us how the funds were stolen and no joke this time it was actually with flash loans.
From popsicle.finance’s description of the hack:
The hacker made the contract believe that he earned as many fees as the total TVL of the pool and thus is entitled to the $20.7m that was in the pool. This hack was only possible because everything happened within one transaction (due to flashloan).
Essentially, AAVE allows you to borrow money and return it in the same transaction in a smart contract. The hacker was able to borrow the money needed to execute the exploit, execute it, and return the loan to AAVE all in one single transaction. This exploit had been missed by the two separate audits popsicle.finance had run on the Sorbetto Fragola code.
Re-Freezing
What is to be done for the investors that lost money?
The team behind popsicle.finance reacted quickly with a live AMA in twitter spaces. A Popsicle Recovery plan was put together and a community proposal was voted on. This is the power of DeFi. Popsicle.Finance’s native token, ICE, can be used by token holders to vote on various proposals that govern the protocol. This means the community was able to have a direct voice in how investors would be compensated for lost funds.
Highlights of recovery plan
Application with Immunefi to their white hack hacker program
Certora will perform a third audit
A $1 million loan from the Ironbank, with which we will immediately pay back 5% of the funds lost. Thereafter, we get a loan each month minimum of $500k, which will be used to pay back further funds.
Popsicle.Finance founder Daniele Sestagalli, is pledging 1,000,000 ICE from his personal allocation to be streamed over 1 year to the LPers in respective value that they have lost.
A partnership with an artist to create special NFTs that will be given to investors who lost funds. These NFTs will posses future utility in the popsicle.finance ecosystem.
Buy The Hack
Our own @haal69k has introduced this idea of “buy the hack” in DeFi. Essentially, Popsicle.Finance is a robust project, with a great team, and a strong idea. As we mentioned in our previous writing, DeFi is new and needs to be battle tested to become a hardened product. Here at Foot Guns we view this exploit as an opportunity to enter the popsicle.finance ecosystem. The team has set the precedent that they are first and foremost looking out for their user base. As we said when you use DeFi in it’s young state you are a product tester, and good protocols will reward you for being there in the beginning and taking on the risk to help strengthen the protocol.
So, how do you do it? Through the ICE token, or just go try these vaults out for yourself. Lightning never strikes twice right? You now know the risks and you know that long term you’ll be compensated for the risk taking. If the protocol is fundamentally valuable and the exploit is easily fixable then the show goes on.
Other than the volume spike on August 3rd you can barely see the hack in the price chart. We think ICE is very undervalued here. This could be a once in a lifetime buying opportunity.
You can only buy ICE inside of DeFi. Check out our How To DeFi series that teaches you how to use Sushiswap or Uniswap and from there you can swap into ICE.
If you enjoyed this post please share with others.
If you’d like to learn more about how to participate in Decentralized Finance and take advantage of these products knowing the risks involved. You can sign up for our paid subscription. We give trading tips, market analysis and detailed guides on how to use various DeFi protocols while highlighting the risks involved.
I like your writing style and the article, but you are also a bit naive. The popsicle team seems like a bunch of good guys who work hard on recovery, but it doesn't make them a solid coding team so far. The UX/UI is mediocre and was always full of bugs. The team clearly didn't have enough coding and security practices in their team, the bug was well known as an exploit upfront and the code of Fragola was unnecessary complex. The team seems to lack the experience. I'll put my bets on other V3 teams.