Binance Smart Chain-based liquidity platform Spartan Protocol has suffered an attack on its liquidity pool, resulting in a loss of more than $30 million, the project said in a tweet on 2 May.
According to blockchain analysis and security firm PeckShield, the hacker exploited a “flawed liquidity share calculation” in the project’s SPARTA/WBNB pool to claim a “large amount of underlying assets”. Through the use of flash loans, the attacker was able to inflate the balance of the pool, before burning an equivalent amount of pool tokens, enabling him to steal roughly $30 million from the pool. Spartan Protocol first reported on the incident at 12:21 AM UTC on 2 May:
PeckShield further said the vulnerability of the protocol was due to the liquidity share calculation “calcLiquidityShare()” querying the current balance, which could then be inflated for manipulation. Following the incident, Spartan Protocol said its code was built from scratch, and “not a clone of anything”, and was previously audited. It further stated it was now going to re-build its protocol, with “more focus on continual reviews”.
This is the second BSC-based project to get exploited in less than a week. On 28 April, DeFi project Uranium Finance lost more than $50 million worth of crypto, when an attacker targeted a bug in its V2.1 migration event. Earlier in April, Uranium also lost around $1.3 million in BUSD and BNB from its pools, though the project later said it was able to recover around $1 million from the attack.
Last week also saw an attempted attack on cryptocurrency exchange Hotbit. While unsuccessful in his attempt to drain funds from the platform, the hacker was able to compromise Hotbit’s user database. The exchange has since entered into maintenance mode, and has stated it would need between 7 and 14 days to inspect, restore, and upgrade all of its systems.