Details BSC suffers first lightning loan attack $30 million in losses

DeFi Protocol Spartan Potocol Hacked, Losing $30 Million

In the world of DeFi, with the help of smart contracts, the threshold for individuals to create financial products is dramatically lowered. People are free to design their own financial products based on their needs and combine them for easy trading.

At present, as the combination of DeFi protocols becomes richer and richer, a large number of “monetary Lego” protocols have emerged, from Uniswap, the first generation decentralized exchange in the ethereum ecosystem, to Sushiswap, the second generation evolution version, to PancakeSwap in the coinan smart chain ecosystem, but The risks in the combination process are also coming to the fore.

Details BSC suffers first lightning loan attack  million in losses

Coinworld-Detail BSC suffers $30 million loss in first lightning loan attack

On May 2nd, DeFi protocol Spartan Potocol was hacked and PeckShield discovered through tracking and analysis that Spartan Potocol was hit by a lightning lending attack with a $30 million loss.

The Spartan Protocol is an asset liquidity program designed to address the various issues that arise with existing AMM protocols and synthetic assets. SpartanSwap uses THORCHAIN’s AMM algorithm. This algorithm uses a liquidity-sensitive fee to solve the liquidity cold-start and slippage problem.

Here is how the attack works: First, the attacker lends 10,000 WBNB in lightning loans from PancakeSwap.

In the second step, the attacker converts WBNB into SPARTAN in five times in the vulnerable Spartan exchange pool, using 1,913.172376149853767216 WBNB to exchange 621,865.037751148871481851 SPARTA, 555, 430.671213257613862228 SPARTA, 499,085.759047974016386321 SPARTA, 450,888.746328171070956525 SPARTA, and 409,342.991760515634291439 At this point the attacker has 2,536,613.206101067206978364 SPARTA and 11,853.332738790033677468 WBNB in hand, which the attacker injects into the liquidity pool to provide liquidity and mint 933, 350.959891510782264802 tokens (SPT1-WBNB);

In the third step, the attacker uses the same technique to convert WBNB into SPARTAN in ten times in the vulnerable pool, exchanging 1,674.025829131122046314 WBNB for 336,553.226646584413691711 SPARTA, 316, 580.407937459884368081 SPARTA, 298,333.47575083824346321 SPARTA, 281,619.23694472865873995 SPARTA, 266,270.782888292437349121 SPARTA, 252,143.313661963544185874 SPARTA, 239,110.715943602161587616 SPARTA, 227,062.743086833745362627 SPARTA, 215, 902.679301559370989883 SPARTA, and 205,545.395265586231012643 SPARTA , for a total of 2,639,121.977427448690750716 SPARTA.

In the fourth step, the attacker transfers 21,632.147355962694186481 WBNB and all the SPARTA, i.e. 2,639,121.977427448690750716 SPARTA obtained in the above three steps, into the liquidity pool to inflate the asset price.

In the fifth step, the 933,350.959891510782264802 tokens (SPT1-WBNB) obtained from the second step are burned to withdraw liquidity, and a total of 2,538,199.153113548855179986 SPARTA and 20.694.059368262616 SPARTA are burned because the liquidity pool is in an inflationary state, 694.059368262615067224 WBNB, it is worth noting that in the second step, the attacker only exchanged 11,853.332738790033677468 WBNB, at which point the attacker made a profit of 9,000 WBNB.

In the sixth step, the attacker injects 1,414,010.159908048805295494 pool token in the fourth step to provide liquidity to the liquidity pool, and then starts the burn mechanism to obtain 2,643,882.074112804607308497 SPARTA and 21, 555.69728926154636986 WBNB.

The attacker called the liquidity share function calcLiquidityShare() to query the current balance and then manipulate the balance arbitrage. The correct operation requires the baseAmountPooled/tokenAmountPooled state. Coin World – Explaining BSC’s First Lightning Lending Attack $30 Million Loss

Details BSC suffers first lightning loan attack  million in losses

The operation of the DeFi system needs to be guaranteed by smart contracts, which requires the code of the smart contracts to be carefully vetted. If there is any vulnerability in a smart contract, it can become the target of hackers.

Under traditional conditions, hackers attack financial systems mainly by virtue of their computer skills, while in the existing DeFi ecosystem, the interoperability between chains and applications is not that good, so the chance of arbitrage between chains and applications may be greater. At this point, even a person who is not so strong in computer skills can become a hacker and attack the DeFi system as long as he has enough financial knowledge and enough market sense.

Hackers can lend large sums of money at a small cost through lightning loans on the blockchain, and then use the money to cause price fluctuations in some digital assets and then profit from them, initially in ethereum.

PeckShield” said: “The attack method is still the same, just from one chain to another, DeFi protocol developers should check their own code after the attack. If you don’t understand this, you should find a professional auditor to conduct an audit and research to prevent the problem before it happens.”

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/details-bsc-suffers-first-lightning-loan-attack-30-million-in-losses/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-05-01 17:01
Next 2021-05-02 18:43

Related articles