Today, Spartan Protocol was subject to an exploit targeting the liquidity pools. Approximately $40M+ USD was drained in this exploit, based on token prices at the time.
The Spartan Contracts were fully audited by Certik prior to launch, along with the usual ongoing code reviews, so this is an unfortunate reminder that there are no 100% safeguards. More action however will be taking place to ensure greater confidence in the Spartan Protocol ecosystem as we move towards V2.
The attacker used ~$60M BNB to create a large imbalance in the Spartan Pools through extremely large batches of transactions to create unhealthy ratios of collateral tokens and SPARTA in each targeted pool. Similar attacks have been made on other DeFi protocols in the past.
Once the imbalance was present, the attacker manipulated the addition of tokens to the pools to exploit a call that determines the Liquidity Share of a wallet address. Once complete, the attacker removed their inflated percentage of each Liquidity Pool, and began to dispose of the assets via CEX, DEX and by bridging tokens to other blockchains besides Binance Smart Chain.
Big thanks to the team at PeckShield for their full and detailed analysis of the transaction, which you can find here.
Also a big thanks to all the other individuals & projects who reached to help out.
Unfortunately, our early Liquidity Providers and Bond+Mint participants have been the most heavily impacted Spartans from this attack. We continue to investigate and are in communications with Binance regarding the source of the ~$60M BNB and whether there are any links to a KYC account.
Spartan Protocol remains determined and focused on delivering on it’s original whitepaper - the delivery of a synthetic asset protocol with leverage on Binance Smart Chain. We have no plans to stop BUIDLing nor to simply hang up our helms when the going gets tough. Spartan Protocol is not the first and will definitely not be the last DeFi protocol that may be targeted with a flash crash and/or economic exploit in the past or future.
The path forwards may look different now though. Whilst the 'audit' path may never result in 100% protection from malicious actors, there will likely be another determined and fresh-angled focus on this before V2 launches. For starters, the BNB in the community bounty wallet will likely be used for a CodeArena bounty now instead of grants for community BUIDLing.
A CodeArena bounty will allow and encourage developers and white hats to review and assess the code from different angles.
With this bug analysed and discussed so deeply today, the focus will be to ensure it has been addressed and closed in V2. A detailed report has been worked on today by a range of contributors, keep a look out for a more official update tomorrow, and we will continue to communicate our future actions with the Shield Wall on Telegram and Twitter.
Recommendations if you have provided liquidity or bonded in v1:
- Claim your remaining bonded LP tokens (a claim will now result in the entire remaining amount instead of having to wait)
- Unlock your LP tokens from the DAO (lock+earn)
- Remove your liquidity from the pools and await an update on the next steps towards SpartanProtocolV2