Spartan DeFi lost $30 million in BSC flash loan attack

  • Spartan DeFi losses $30 million to a flash loan attack
  • The flash loan attack was carried out on Pancakeswap
  • Cryptocurrency platforms and projects continue to lose money to hackers

Cryptocurrencies offer unparalleled security compared to traditional financial systems. However, crypto platforms are also prone to hacks and Spartan on the Binance Smart Chain (BSC) is the latest to fall for a flash loan attack.

Spartan losses $30 million in flash loan attack

Spartan, a decentralized financial (DeFi) platform hosted on the Binance Smart Chain, suffered a flash loan attack, losing $30 million in the process. The hack was due to a flawed liquidity share calculation in the DeFi.

In a report yesterday, security firm PeckShield, explained the exploit on the Spartan protocol, which took place on May 1. PeckShield said, “In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”

The blog post explained that the attack involved various operations designed to prepare the vulnerable pool. The hackers followed that by manipulating the pool to drain the funds. The Rekt Blog, which looks at hacks and exploits in the DeFi ecosystem, rates the Spartan attack as the sixth-highest in its leadersboard. The blog added that it believes the era of BSC flash loans is here.

According to Rekt’s postmortem of the attack, the flash loan was carried out on Pancakeswap for 100,000 wrapped BNB (wBNB). This was returned in the end with 260 wBNB as the flash loan fee.

Rekt explained that the attacker swapped wBNB to the SPARTA token five times via the exploited Spartan pool. Each time, the hacker swapped 1,913 wBNB to get 621,865 SPARTA tokens. The process was executed ten more times to inflate the asset balance in the pool.

The attacker proceeded to burn the tokens to ensure that the liquidity could be withdrawn. The process was repeated until they repaid the flash loan of 100,260 wBNB and got away with the $30 million.

Hacker has yet to withdraw the funds

PeckShield explained that although the attack was successful, the funds are currently lying in a wallet. “And most of the attacker’s funds from the above exploitations are currently held in this wallet: 0x3b6e. We are actively monitoring this wallet for any movement,” the post concluded.

Most past attacks in the crypto space were targeted at centralized exchanges. However, the emergence of decentralized exchanges means that hackers can now also target these DeFi projects.

Sign up for our FREE mailing list

Join 12,590 others now and get actionable research and analysis sent directly to your inbox.

Post a Comment


Delivered daily, straight to your inbox.