Arbitrum Stablecoin Exploiter Snagged $300K From $9.7B Token Boost

SperaxUSD, a yield automator on Ethereum layer-2 rollup Arbitrum, announced a user was able to explode the balance of their stablecoin tokens over the weekend.

In a Twitter thread, the team said an exploiter somehow obtained 9.7 billion USDS tokens for barely any collateral and managed to liquidate around $300,000 worth before being blocked by the Sperax and Arbitrum teams.

The Sperax team has identified the account and is in the process of taking action in coordination with centralized exchanges. The liquidated amount will be recapitalized before the protocol’s relaunch, it said. The exploit did not impact the DeFi protocol’s governance token SPA.

SperaxUSD didn’t return Blockworks’ request for comment on further details, but a detailed report was set to be published Monday.

“We have reached out to the exploiter to discuss options and we are hopeful for a peaceful resolution. The issue has been figured out and will be resolved with a smart contract upgrade. Recapitalization will be implemented early next week, then transactions will restart,” the team said.

Code bug?

A blockchain analyst who goes by the name “Spreek” on Twitter provided the likely attacker’s address in a tweet, singling out its Ethereum Name Service as “kochironnosaif.eth.”

The attack was “puzzling” as there were no transfer logs of minting or transferring the infinite number of tokens, nor was there any malicious upgrade to the contract, the sleuth said.

“Therefore I would guess [the] likely cause is [a] bug in rebasing code,” they said.

Blockchain security firm PeckShield said the root cause of the hack was due to an “internal balance accounting discrepancy caused when migrating an account from non-rebasing to rebasing-based accounting.”

SperaxUSD is a “hybrid” stablecoin whose design includes both collateral-backing and an algorithmic stabilization mechanism, according to its white paper.



Show More

Become a Millionaire by Trading Crypto!