Spartan Protocol, a DeFi project on Binance Smart Chain, was exploited for over $30.5m. The hacker’s whereabouts are unknown, and a second version of Spartan Protocol is currently being rebuilt with implemented bug fixes.
Sparta has no investors, no team tokens, no airdropped funds, no treasury. The team's own funds were backstopping liquidity in the protocol, which was also taken.— Spartan Protocol (@SpartanProtocol) May 3, 2021
We are left with nothing but our resolve, commitment and vision. Which means we are ready to re-build.
What is/was Spartan Protocol?
Spartan Protocol provided a platform for incentivized liquidity and synthetic assets. The SPARTA token had an internal pricing mechanism without having to rely on external oracles for price settlement. Such a system could provide a fundamental basis for a trustless network of swaps, synthetic tokens, lending, derivatives, and more – at least in theory and according to the team.
Spartan Protocol claims to have ‘no investors, no team tokens, and no treasury,’ stating that the team’s personal funds were backstopping liquidity in the protocol and that those funds were stolen as well. They are currently working on rebuilding from the ground up, claiming that they will ‘rebuild the shield wall’ free of bugs or exploitable code.
How Did the Exploit Occur?
1/12— Igor Igamberdiev (@FrankResearcher) May 2, 2021
I’m finally home, which means it’s time for a thread about a four-hour attack on Spartan Protocol that resulted in $30.5M being stolen.@Peckshield has already written about the root cause, but there will be more details here as usual.
This thread on Twitter explains exactly how the exploit occurred in detail. A bug in Spartan Protocol’s code used current balances instead of cached balances (like Uniswap does) in order to calculate the value of LP tokens. This allowed an LP token to break up into more composite tokens than is correct since the pricing received by the protocol was incorrect.
Similar flash loan attacks have been seen in the past, like the Uranium Finance hack, where $50m was lost. In the Spartan Protocol incident, over $30.5 million was stolen, including about $19 million in BNB.
Hacks of this magnitude are a good reminder that code is only as safe as the coder who wrote it, and the cryptocurrency space as a whole is still nascent. Anything promising obscene returns always has an underlying risk, and investors should always keep this in mind.
@certik_io audited the code in Sep 2020, which contained the flaw. @RektHQ and @bneiluj are ill-informed when they label Sparta as "un-audited", this is not true and makes their reporting seemed hasty and biased. Rekt readers should be aware.https://t.co/1kk4AqWFDD— Spartan Protocol (@SpartanProtocol) May 3, 2021
According to Spartan Protocol’s Twitter, a cryptocurrency security & audit company, CertiK, audited their code in September of 2020. This same code is the one currently deployed, thus it excluded the exploit.