Another Binance Smart Chain (BSC)-based DeFi Protocol Gets Exploited for Over $30 Million

Over the weekend, yet another BSC-based DeFi protocol got exploited. On Saturday, Spartan Protocol, a project that incentivizes deep liquidity pools for leveraged synthetic token generation, reported an attack that resulted in a loss of more than $30 million. Its native token SPARTA took over a 40% drop as a result of the exploit but had since then recovered to $1.65, just about 25% down from its ATH of $2.25 from mid-February. The next day, blockchain security company PeckShield Inc. released an analysis of the attack stating it was due to a flawed liquidity share calculation in the protocol, which was exploited to drain assets from the pool. As for the technical part of the attack that involved a number of operations to prepare the vulnerable pool and then manipulate it to drain funds, the attacker first borrowed a flashloan from PancakeSwap with 10K WBNB, which was returned at the last step with 260 WBNB as the flashloan fee. The vulnerability stems from the fact that the liquidity share calculation calcLiquidityShare() is querying the current balance, which can then be inflated for manipulation, noted PeckShield Inc. Spartan Protocol team ensured that they would rebuild with a focus on reviews. It also mentions that their code that contained the flaw was already audited by CertiK. While sharing this, it further said that “Sparta is innovative code, built from scratch, it is not a clone of anything,” amidst the growing criticism around the DeFi projects built on BSC copying other projects that are already running on Ethereum. “Sparta does not copy a single line of SNX code, and the Sparta community feel the brand is sufficiently differentiated, un-owned, and unique to the BSC community,” it stated. https://twitter.com/kaiynne/status/1387266959943737345 Earlier last week, another BSC-based DeFi project, Uranium Finance, was exploited for $50 million despite the project being audited by BSC Gemz, which didn’t pick up the critical vulnerability. The exploit was possible due to an update of the codebase for v2, which changed the swap fees from 0.20% to 0.16%. Unlike Spartan Protocol, Uranium Finance said they are not releasing v3, adding, “We will not be trying to make this project reborn again, doing so is not possible under these circumstances.” Currently, they are activating the distribution of less than 300k from the bonus money pot while asking users to remove liquidity from pools.