In a report on May 2, security firm PeckShield detailed the exploit on the Spartan protocol which occurred the previous day. It stated that the incident was due to a flawed liquidity share calculation in the protocol, which was exploited to drain assets from the pool.
It added that this specific hack inflated the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets—$30 million worth in this instance.
Another DeFi postmortem
The attacker then swapped wBNB to the protocol’s native SPARTA token five times through the exploited Spartan pool, each time swapping 1,913 wBNB to get 621,865 SPARTA tokens. The process was completed a further ten times in order to inflate the asset balance in the pool.
Tokens were then burnt so that the liquidity could be withdrawn and the process was repeated until the flash loan of 100,260 wBNB was repaid and the attacker made off with over $30 million.
“The vulnerability stems from the fact that the liquidity share calculation is querying the current balance which can then be inflated for manipulation. A correct calculation needs to make use of cached balance.”
The attacker used the 1inch exchange to swap all tokens to BTCB or BETH, Spartan to dump SPARTA, and Nerve Finance to swap BTCB and BETH to Anyswap versions where it withdrew the stolen funds.
More BSC exploits likely to come
The Rekt Blog warned of more of such attacks to come:
“A relatively straightforward story of another copied protocol who were too ambitious with their imitation. The era of BSC flash loans is upon us, and this won’t be the last time we see such attacks.”
SPARTA tokens dumped 40% over the weekend as news of the incursion circulated.