$30 500 000 USD
DESCRIPTION OF EVENTS
"Spartan Protocol operates as a community-driven project with a broader number of contributors. The platform is home to various functionalities such as granting liquidity to assets, developing lending markets, and synthetic assets." "Similar to the Ethereum-based Synthetix, the Spartan project aimed to create synthetic tradeable assets that reflect the value of other assets." "The Spartan Contracts were fully audited by Certik prior to launch, along with the usual ongoing code reviews, so this is an unfortunate reminder that there are no 100% safeguards."
"A bug in Spartan Protocol’s code used current balances instead of cached balances (like Uniswap does) in order to calculate the value of LP tokens. This allowed an LP token to break up into more composite tokens than is correct since the pricing received by the protocol was incorrect." "The exploit was possible because Spartan used current balances instead of cached balances (like Uniswap) to calculate LP tokens value."
"The hack emerges from a miscalculation of the liquidity shares whereby a digital token in a pool is burnt to obtain the specific asset. In essence, the perpetrator intends to acquire a massive amount of assets by increasing the pool’s asset value before burning a similar amount of pool tokens." “In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”
"The Spartan Protocol tweeted about the exploit four hours after it took place, by which time the hackers had already withdrawn part of his profit using Anyswap." “This suggests that the attacker chose a perfect time, which did not allow the team to react in time” "Spartan Protocol claims to have ‘no investors, no team tokens, and no treasury,’ stating that the team’s personal funds were backstopping liquidity in the protocol and that those funds were stolen as well. They are currently working on rebuilding from the ground up, claiming that they will ‘rebuild the shield wall’ free of bugs or exploitable code." "In keeping with the Spartan theme; we may be bloodied but we are not beaten and are very far from out of this fight."
Spartan Protocol is yet another audited smart contract that did something stupid. A lot of people lost a lot of money in this case.
It appears that the Spartan community has plans forward to rebuild through a new token, with the old tokens swapped one for one with the new tokens.
HOW COULD THIS HAVE BEEN PREVENTED?
Decentralized smart contracts operate like hot wallets in that they are online systems which are directly connected with the ability to send tokens.
These do not guarantee the security of funds. A more secure setup would use a multi-signature wallet with keys stored offline. This is, of course, a different model from the standard decentralized one.
Explained: The Spartan Protocol Hack (May 2021) - Halborn (May 11)
Another Day Another DeFi Hack: Spartan Protocol Exploited For Over $30M | Benzinga (May 13)
Rekt - Leaderboard (May 13)
Flash Loan Attack on Binance Smart Chain, $30 Million Stolen From Spartan Protocol Using BNB (May 13)
Spartan Protocol on Binance Smart Chain (BSC) Exploited: $30 Million Stolen (May 13)
Hacker Infiltrates Spartan Protocol Pools Causing Losses Worth $30 Million | BTCMANAGER (May 13)
@FrankResearcher Twitter (May 14)
Spartan DeFi Suffers $30M Loss in BSC Flash Loan Attack (May 14)
Spartan Protocol hacked, $39 million stolen - Stockhead (May 14)
Rebuilding Spartan Protocol (May 14)
Today Spartan Protocol Was Subject To An Exploit Targeting The Liquidity Pools (May 14)
SlowMist Hacked - SlowMist Zone (May 18)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
The Spartan Incident: Root Cause Analysis | by PeckShield Inc. | Medium (Aug 11)
@frankresearcher Twitter (Aug 11)
security/2021-05-02-Spartan-Pool.md at master · OriginProtocol/security · GitHub (Aug 11)
CertiK Blockchain Security Leaderboard (Jun 1)