Arbitrum Stablecoin Exploiter Snagged $300K From $9.7B Token Boost

SperaxUSD, a yield automator on Ethereum layer-2 rollup Arbitrum, announced a user was able to explode the balance of their stablecoin tokens over the weekend.

In a Twitter thread, the team said an exploiter somehow obtained 9.7 billion USDS tokens for barely any collateral and managed to liquidate around $300,000 worth before being blocked by the Sperax and Arbitrum teams.

The Sperax team has identified the account and is in the process of taking action in coordination with centralized exchanges. The liquidated amount will be recapitalized before the protocol’s relaunch, it said. The exploit did not impact the DeFi protocol’s governance token SPA.

On February 4th, the SperaxUSD protocol on @Arbitrum was exploited. The Core team is ready to share the known elements now, and the detailed report will follow on Monday, February 6th. 1/6

— SperaxUSD: Stablecoin with organic Auto-Yield (@SperaxUSD) February 4, 2023

SperaxUSD didn’t return Blockworks’ request for comment on further details, but a detailed report was set to be published Monday.

“We have reached out to the exploiter to discuss options and we are hopeful for a peaceful resolution. The issue has been figured out and will be resolved with a smart contract upgrade. Recapitalization will be implemented early next week, then transactions will restart,” the team said.

Code bug?

A blockchain analyst who goes by the name “Spreek” on Twitter provided the likely attacker’s address in a tweet, singling out its Ethereum Name Service as “kochironnosaif.eth.”

The attack was “puzzling” as there were no transfer logs of minting or transferring the infinite number of tokens, nor was there any malicious upgrade to the contract, the sleuth said.

“Therefore I would guess [the] likely cause is [a] bug in rebasing code,” they said.

Blockchain security firm PeckShield said the root cause of the hack was due to an “internal balance accounting discrepancy caused when migrating an account from non-rebasing to rebasing-based accounting.”

The root cause of the @SperaxUSD hack is due to its internal balance accounting discrepancy caused when migrating an account from non-rebasing to rebasing-based accounting. And here is the triggering tx from a simple transfer: https://t.co/tkLORdWnmg https://t.co/QpYJyhpsXK pic.twitter.com/VYN2n8ZoHs

— PeckShield Inc. (@peckshield) February 4, 2023

SperaxUSD is a “hybrid” stablecoin whose design includes both collateral-backing and an algorithmic stabilization mechanism, according to its white paper.

Source