Earlier today, DeFi protocol Spartan Protocol tweeted that a hacker was using V1 repositories. The team assured they were aware of the problem and investigated the abuse. They also called for help in their communities.
What we know so far –
*Attacker used $61m in BNB to overcome the pools via a as yet unknown economic exploit path to remove roughly $30m in funds from the pools.
Reach out if you can help identify and analyse the exploit.https://t.co/aNTvdzKOeF
— Spartan Protocol (@SpartanProtocol) May 2, 2021
Spartan Pools v1 has been attacked – the team is aware and investigating.
Famous blockchain journalist Wu Blockchain also noted that Binance helped the investigation by focusing on the case:
BSC's early imitating Synthetix project was hacked, and it landed on Binance Exchange in September 2020. Spartan Protocol stated that it is cooperating with Binance to recover the stolen funds. https://t.co/pQZWj25iC9
— Wu Blockchain (@WuBlockchain) May 2, 2021
BSC’s Synthetix-like project has been hacked. The Spartan Protocol stated that it is partnering with Binance to recover the stolen funds.
So what exactly happened?
The attacker apparently used $ 61 million in BNB to launch a “flash loan” attack on Binance Smart Chain and pulled a $ 30 million fund from Spartan pools. According to PeckShield, this is the first “proper” flash credit attack on the BSC. In a flash credit attack, the hacker lends large amounts of money to cause price volatility and profits from it.
This is how the DeFi attack happened step by step!
As detailed in a report shared by Wu Blockchain, the attack was as follows:
First, the hacker borrowed 10,000 WBNB from PancakeSwap. The attacker then converted the WBNB from the Spartan pool to SPARTA tokens five times. The attacker then injected these tokens into liquidity pools and mined (mined) approximately 933,351 SpartanPoolV1-Wrapped BNB (SPT1-WBNB) tokens.
After that, the hacker turned WBNB into a SPARTA ten more times in the vulnerable Spartan pool.
The attacker then transferred all the SPARTA tokens obtained and locked them in a liquidity pool to artificially raise the price. The hacker then burned 933,351 SPT1-WBNB tokens. During this whole process, the hacker made a profit of 9,000 WBNB;
Finally, the hacker injected the pool tokens he obtained into the pool to provide liquidity. He then started the incineration process to achieve 2,643,882 SPARTA and almost 21,555 WBNB.
Blockchain security company’s report
According to a Medium post shared by PeckShield, an industry-leading blockchain security company, this incident occurred due to an error in calculating the liquidity share by burning the pool token to withdraw the tokens. The hack “inflates the pool’s balance before burning the same amount of pool’s tokens to claim unnecessarily large amounts of underlying assets.”