A DeFi project Spartan Protocol’s contract suffered an exploit that led to loss of more than $30 million in funds. The incident reportedly originated due to a flawed liquidity share calculation in the protocol, that resulted in the drainage of assets from the pool.
In the post-mortem blog post, the security firm PeckShield detailed,
“In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”
The decentralized protocol [DeFi] was built on Binance Smart Chain for incentivized liquidity and synthetic assets. While first reporting the incident Spartan had revealed that the malicious entity used $61 million in Binance’s native token BNB to control the pools via an unknown economic exploit path to remove almost $3 million in funds from the pools.
According to the post-mortem report, the flash loan was taken on BSC’s popular DEX PancakeSwap for 100,000 wrapped BNB [wBNB]. This amount was to be paid back at the last step with 260 wBNB as the flash loan fee. However, the hacker allegedly swapped the wrapped BNB to Spartan’s native token – SPARTA five times via this exploited pool of the protocol. It swapped wBNB to SPARTAN an additional ten times through the same pool.
After inflating the asset balance in the pool, tokens were burnt to withdraw the liquidity. This process was repeated until the flash loan of 100,260 wBNB was returned and the hacker drained more than $30 million from the DeFi protocol.
DeFi Flash Loan Attacks One After Another
Rekt, which posted another assessment of the incident, also stated that Spartan’s latest exploit with $30 million funds drained is the sixth biggest incursion on its leaderboard.
This news comes jist days after the attackers of yet another Binance Smart Chain’s DeFi exchange Uranium Finance siphoned off with more than $57 million in exploit from a similar attack. In April 20th, layer two protocol EASYFI lost around $59 million.