Spartn Protocol on Binance Smart Chain (BSC) Exploited: $30 Million Stolen
Spartan Protocol, a DeFi project on Binance Smart Chain, was exploited for over $30.5m. The hacker’s whereabouts are unknown, and a second version of Spartan Protocol is currently being rebuilt with implemented bug fixes.
What is/was Spartan Protocol?
Spartan Protocol provided a platform for incentivized liquidity and synthetic assets. The SPARTA token had an internal pricing mechanism without having to rely on external oracles for price settlement. Such a system could provide a fundamental basis for a trustless network of swaps, synthetic tokens, lending, derivatives, and more – at least in theory and according to the team.
Spartan Protocol claims to have ‘no investors, no team tokens, and no treasury,’ stating that the team’s personal funds were backstopping liquidity in the protocol and that those funds were stolen as well. They are currently working on rebuilding from the ground up, claiming that they will ‘rebuild the shield wall’ free of bugs or exploitable code.
How Did the Exploit Occur?
This thread on Twitter explains exactly how the exploit occurred in detail. A bug in Spartan Protocol’s code used current balances instead of cached balances (like Uniswap does) in order to calculate the value of LP tokens. This allowed an LP token to break up into more composite tokens than is correct since the pricing received by the protocol was incorrect.
Similar flash loan attacks have been seen in the past, like the Uranium Finance hack, where $50m was lost. In the Spartan Protocol incident, over $30.5 million was stolen, including about $19 million in BNB.
Hacks of this magnitude are a good reminder that code is only as safe as the coder who wrote it, and the cryptocurrency space as a whole is still nascent. Anything promising obscene returns always has an underlying risk, and investors should always keep this in mind.
According to Spartan Protocol’s Twitter, a cryptocurrency security & audit company, CertiK, audited their code in September of 2020. This same code is the one currently deployed, thus it excluded the exploit.