May 5th, 2021
On May 2, 2021, the Spartan protocol was the victim of a smart contract exploit. By taking advantage of a flawed liquidity share calculation, the attacker was able to steal approximately $30 million from the project.
The attack against the SPARTA smart contract takes advantage of a failure in the contract’s liquidity calculations. If the attacker inflates the asset balance within the liquidity pool, burning pool tokens will allow them to withdraw an unfair share of the underlying assets.
The attack was performed in this transaction. The transaction starts with a 100k WBNB flashloan from PancakeSwap. The attack can then be broken up into 3 main stages:
Stage 1: Pool Token Acquisition: The attacker performs five transactions swapping approximately 1,913 WBNB each round for a total of about 2,536 SPARTA tokens. These SPARTA tokens plus an additional 11,853 WBNB are then added to receive about 933,350 pool tokens.
Stage 2: Asset Balance Inflation: The attacker performs an additional ten swaps of about 1,674 WBNB each to SPARTA. The resulting approximately 2,639,121 SPARTA and about 21,632 WBNB are added to the pool, inflating its asset balance.
Stage 3: Liquidity Extraction: The attacker burns the approximately 933,350 pool tokens from the first step for about 2,538 SPARTA and 20,694 WBNB (a 9k WBNB profit). They then use the assets from the second step to extract pool tokens, which are burned for about 2,643,882 SPARTA and 21,555 WBNB.
By repeating this process multiple times, the attacker extracted about $30 million in tokens from the pool.
At the end of the transaction, the WBNB flashloan from PancakeSwap is paid off.
The attacker used multiple transactions to bypass slippage protections within the contract and was able to take advantage of a flawed liquidity share calculation in the smart contract code. The calculation checked the current balance (which the attacker inflated) rather than the cached balance. The difference between these two values is what allowed the attacker to extract extra tokens during each round of the attack.
Many of the recent attacks against DeFi projects are designed to exploit slippage, which allows an attacker to extract more value than they put in based upon inaccurate exchange rates.
While many projects – like the Spartan Protocol – have protections against slippage, these can be bypassed. This latest attack demonstrates that finding workarounds should be a focus for smart contract developers as well as attackers.
If you’re interested in finding out how you can prevent your blockchain project from getting hacked, contact Halborn at firstname.lastname@example.org.