Popsicle Finance Reward Accounting

On August 4, 2021, the DeFi platform Popsicle Finance lost approximately $20.7 million from its Sorbetto Fragola liquidity pool. The attacker used flash loans and a sequence of share transfers between addresses to trick the contract's reward-tracking logic into believing they were owed rewards equal to the entire pool's TVL.

What happened

Sorbetto Fragola was a Uniswap v3 active-liquidity manager — users deposited assets, received "shares" representing their LP position, and earned fees proportional to their share. The pool tracked rewards by recording, for each address, the block in which it first received shares and applying fee accrual from that block forward.

The fatal flaw: the contract did not update reward-tracking state when shares were transferred between addresses. Specifically:

• When User A transferred their shares to User B, the contract recorded User B as eligible for rewards from block 0 (the pool's initial deployment block), not from the actual transfer block.
• The same shares could be transferred multiple times to different addresses, and each receiving address would be credited with rewards as if it had held those shares since the pool's inception.

The attack:

1. Flash-borrowed approximately $30M USDT and $32M ETH from various sources.
2. Deposited the borrowed assets into Sorbetto Fragola, receiving Sorbetto shares.
3. Transferred the shares to a sequence of attacker-controlled addresses — each transfer registered the recipient as "eligible for rewards since block 0."
4. Claimed rewards from each of the attacker-controlled addresses — the contract calculated each address's reward share as if it had been holding the maximum stake since deployment.
5. Net result: rewards claimed across all the attacker addresses summed to approximately the entire pool's TVL.
6. Withdrew the rewards as real assets, repaid the flash loans, walked with ~$20.7M.

Notably, the attacker took primarily USDC and USDT (about $10M combined) plus several other assets. Popsicle's other contracts were not affected — the bug was specific to Sorbetto Fragola's reward-tracking logic.

Aftermath

• Popsicle paused Sorbetto Fragola and announced a redesign of the reward-accounting logic.
• The team published a post-mortem identifying the share-transfer state-update gap as the root cause.
• A redesigned Sorbetto with proper share-transfer state updates was eventually launched, but Popsicle's standing in the active-liquidity-management category did not recover.
• No public recovery of stolen funds.

Why it matters

Popsicle is the textbook case for why every state-mutating operation in a reward-tracking system must update every dependent state variable. The contract's transfer function moved the shares without touching the reward-eligibility timestamp, leaving the two pieces of state inconsistent — and the inconsistency was the entire exploit.

The pattern recurs across DeFi any time a protocol implements fee/reward tracking by storing an "eligibility start" timestamp that should be updated on every transfer:

• MasterChef forks that don't update reward debt on share transfers.
• Staking contracts that calculate rewards based on a "first deposit" block.
• Yield aggregators that aggregate user state across deposit lots.

The defensive pattern — update all reward-debt state on every share transfer, not just on deposit/withdraw — is now standard in modern reward-tracking code. Popsicle's $20.7M is one of the foundational cases that made it standard.

It's also notable that Certora later published a formal-verification analysis showing the bug would have been caught by their tool. Formal verification of reward-tracking invariants has subsequently become more common at protocols that handle meaningful TVL.