Spartan Protocol Faces A Loss Of $30M In Latest DeFi Flash Loan Attack

According to reports, a recent hacking exploit on the DeFi space has led to the loss of Millions for the Spartan Protocol, running on the Binance Smart Chain.

The report from PeckShield, released on the 2nd of May, revealed details about the exploit attack, which happened on the 1st of May. The report highlighted that hackers managed to exploit an incorrect liquidity share calculation system in the protocol, which led the exploiters to drain assets worth Million from the pool. The report continued on to reveal that the hackers were able to increase the asset balance of the pool and then eradicated pool tokens of the same amount, letting them have access to a huge number of finances. The exploiters managed to rack up a total of $30Million worth of assets before stopping.

Analysis from the Rekt Blog

The Rekt blog, which studies attacks and exploits in the DeFi space, marked it as one of the biggest attacks, putting it up on the 6th position in the attack leaderboards. Hacking analysts from the rekt blog found out that a flash loan had been transacted on PancakeSwap for around 100k BNB, then to be returned back with around 260 BNB as the loan fee.

The hackers managed to convert BNB to the protocol’s SPARTA token in 5 stages from the Spartan Pool that was compromised. At each stage, the attackers converted around 1,913 BNB to receive nearly 621,865 SPARTA tokens. This process was then done for another ten stages to increase the asset balance contained in the pool.

Tokens Conversion process

After the inflation in asset balance, the tokens were then eradicated in order to receive the liquidity. The whole process was done again and again until the flash loan transacted on PancakeSwap was returned back, resulting in the exploiter making over $30Million in profit.

The exploiter utilized the 1inch exchange to convert all of the tokens into BTCB/BETH, Spartan for taking out SPARTA, and then using Nerve Finance to convert the BTCB/BETH to Anyswap to withdraw the finance gained.

The study from the Rekt Blog said that this would not be the last time that hackers can use this method to compromise pools like this. They stated that developers should stop using copied protocols and must find a way to secure their networks in another unique way.