I started my crypto journey answering the basic questions of how this works, why this important and why I should be paying attention. But then I wondered “What could go wrong? How does a crypto protocol get hacked and what happens after?”
Im starting this mini-series to help you discover what I found. Hope you enjoy.
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets or currencies. Do your own due diligence.
The Spartan Protocol was built as a DeFi application for the Binance Smart Chain, an Ethereum competitor. It involved creating incentivized liquidity pools, utilizing an automated market maker, generating synthetic assets (derivatives), and lending. It claimed to be the Uniswap, MakerDAO, and Synthetix DeFi applications from the Ethereum network all rolled into one. They had big dreams and aspirations of bringing a truly competitive DeFi project to Binance. They were even mentioned during an event in 2020 by the CEO of Binance, Changpeng Zhao (aka CZ).
But just months after going live, on May 1st 2021:
They scrambled to find out what had just happened. Over $30M had just been stolen:
PeckShield Inc., a blockchain auditor and security company, was able to diagnose the issue.
It wasn’t good.
They found the problem was embedded in the code of the nascent dapp:
This incident was due to a flawed logic in calculating the liquidity share when the pool token is burned to withdraw the underlying assets. In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.
They used a technique that only exists in the world of DeFi known as a “flash loan.” This is an automated unsecured loan that uses smart contracts to ensure the borrower must pay back the loan before the transaction ends. Otherwise the transaction will be reversed as if it never happened. That means that whatever the person is trying to do with that loan must occur instantly, or at least in less than a few seconds.
But if the transaction doesn’t work, who cares? The loan is paid back without taking any risk other than a small fee (some lending dapps even offer zero fee flash loans). Flash loans can be used by traders looking for quick arbitrage opportunities and other use cases, but it has also been used to exploit vulnerable DeFi applications in the past.
They go through the steps of how this was done:
Borrowed a large flash loan in a Binance Coin derivative known as “wrapped” Binance Coin (wBNB).
Continuously swapped small amounts of Binance tokens with Spartan tokens inside a SPARTA-WBNB liquidity pool.
Added both tokens into the same liquidity pool, minting new “pool tokens.”
Continued to swap the tokens again.
Added more tokens to the pool, inflating the asset balance within the pool and making each pool token worth more.
(No, that’s not supposed to happen)Burned some of the pool tokens, which resulted in receiving a much higher amount of both Binance and Spartan tokens than they originally put into the pool.
They continuously added higher and higher amounts of both tokens to the pool and then burned more pool tokens, creating more and more profit.
Continued draining funds from the pool until time ran out and they needed to repay the original loan. They kept the excess profit.
Peckshield explains how they were able to inflate the liquidity pool:
The vulnerability stems from the fact that the liquidity share calculation
calcLiquidityShare()
is querying the current balance which can then be inflated for manipulation. A correct calculation needs to make use of cached balance inbaseAmountPooled/tokenAmountPooled
.
A coding error resulted in the loss of $30M from users of that liquidity pool.
What a lousy shield wall.
Despite all this, the Spartan token continues trading on Binance and the developers continued working on their next steps forward:
The developers have since resolved the issues, and will issue a token swap, where users can now exchange the old SPARTAv1 tokens for new SPARTAv2 tokens. They are also allowing users who can prove they were affected by the hack to claim the tokens that were stolen. This is the right move, and the best possible outcome for their early users who believed in them and the project.
Just make sure you do it right:
Please do not share this link directly with users. Instead, we urge you to direct them to this Medium article. This link is being published here only, to minimise (sic) the risk of users being scammed of their old V1 tokens, or being directed to interact with a DApp that was built for the purpose of stealing tokens. There are now several different contract addresses on Binance Smart Chain that are related to the mythology of the Spartans, please be careful.
Thoughts:
This really is the wild west of crypto. Even though they are trying their best to make things right by issuing new tokens, there are still so many other scams out there waiting to pick off their users. Buyer beware of new and untested protocols and DeFi projects.
On the one hand, they showed that they care and will do the right thing for their users. On the other hand, do you really trust them after they allowed a coding error to allow someone to seize $30M? I wouldn’t, but what do I know? Maybe this adversity makes them stronger. Maybe this is their Battle of Thermopylae, and even though they lost a lot of good tokens they will eventually win the war of DeFi. Who knows?
What impresses me even more about this whole story is how hard it is to finish off a crypto project. You would think that after the initial hack that would be it. The users would leave and move on to another hot DeFi crypto application and the developers would go work elsewhere. None of that happened, at least so far. Time will tell if SPARTAv2 will continue on or not. But unless all the transactions dry up or the developers leave this isn’t going to go away. The old token will stop trading and the new one will just pop right back in its place. These decentralized networks can be super resilient. Maybe more than most of us realize.
Thanks for reading!
If you enjoyed this post or found it somehow useful, please consider tipping at WookieeIndex on Twitter.
ALSO:
If you find yourself having trouble saving, Yotta gives you better incentives, as well as a steady 0.2% APY. This is an FDIC Insured savings account that gives you a lottery ticket for every $25 you put in. You get daily number drawings with a top prize of $10M if you match all the numbers. Match 5 and you could win a Tesla! See the rewards below. And if nothing else, you have a nice little nest egg!
If you sign up, use code CHARLES280 and we will BOTH get an extra 100 tickets for 1 week.