Arbitrum Stablecoin Exploit Has Happy Ending: Funds Returned

A yield-automating protocol on Arbitrum was exploited over the weekend in an incident that boosted the hacker’s balance of their US dollar stablecoin Sperax (USDS).

But in a plot twist, the team said Tuesday all funds had been returned — pointing to a $300,000 USDC transaction — and that Sperax would soon provide a timeline to resume SperaxUSD transfers.

The “hybrid” stablecoin, which first notified its users of the attack on Sunday, published a report late Monday detailing what went down.

Although in its report SperaxUSD calls the person an “attacker,” the team has said separately in a tweet that the person associated with the address is “not a hacker,” and that it pledged not to take any action if the funds were returned.

The team said the exploiter took advantage of an internal bug in the USDS token contract to change the balance to 9.7 billion on a multi-sig wallet.

Before the team could block the contract, the attacker managed to exchange about $309,000 USDs to USDT, USDC and WETH.

SperaxUSD said that on Dec. 13, it had upgraded the token contract to remedy an issue in the calculation of balances, which caused incompatibilities with DEXes.

The exploit began with the attacker sending funds to a Gnosis Safe address, a multi-signature smart contract wallet, which triggered a bug in the USDs token contract. That’s how the balance jumped to 9.7 billion tokens.

The attacker then began to sell USDs on Arbitrum, likely 10,000 at a time. Some three hours after the attack, the SperaxUSD team was able to pause the action.

Holders of the USDs token have two types of tokens: rebasing (where supply is adjusted to control price) and non-rebasing. This means that a rebasing holder’s USDs balance increases automatically upon a rebase, which is triggered weekly.

“Even though all the contracts that we develop go through multiple rounds of reviews and thorough testing, we still missed this edge case. We feel the attacker was just experimenting with the contract since the upgraded code is not published, however he/she did uncover a novel bug, it could have been an even worse situation (if it were planned),” the team said.

Source