Popsicle Finance
HackedDeFi · $ICE · born 2021 · ✝ 2021
A rewards-accounting flaw melted ~$20M away.
Popsicle Finance was a cross-chain yield-optimizer on Ethereum that auto-managed concentrated liquidity positions. In August 2021 an attacker exploited a flaw in its reward-accounting logic, using flash loans to claim fees they never earned and draining roughly $20M.
- Peak
- ~$20M stolen
- Cause
- Hacked
- Year of death
- 2021
☠️ Cause of death
Fee rewards were tracked per token rather than per holding period, so an attacker could deposit, instantly claim accrued rewards, and repeat to drain the vaults.
📓 Lessons left behind
- —Tie rewards to time held, not just balance at claim.
- —Test incentive logic against deposit-claim-withdraw loops.
- —Flash loans weaponize any same-block reward shortcut.
🌱 The idea that survived
Time-weighted rewards
Reinforced reward accounting that resists same-block deposit-and-claim gaming.
#defi#flash-loan#rewards