Inflated Books: The $250K Attack on Sperax USD

Project name: Sperax USD/Sperax

Project type: Token

Date of exploit: Feb 4, 2023

Asset loss: $250k

Vulnerability: Incorrect Logic in Migration/Rebasing Mechanism

Date of audit report publishing:

• Dec 22, 2021: Sperax VI
• Oct 26, 2021: Sperax

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Sperax USD is a DeFi project providing services including USDs (liquid-staked stablecoin) and Demeter (multi-DEX liquidity management protocol) on Arbitrum. The USDs contract was exploited by a potential vulnerability in the accounting migration mechanism. The attacker utilized this vulnerability to inflate the supply of USDs.

Nature of the Vulnerability

• Since the contract was unverified, we can only know the USDs updated the balance of the account incorrectly.

CertiK Audit Overview

Conclusion

On Feb 4, 2023, SperaxUSD was attacked, leading to a loss of $250K due to the incorrect logic in its Migration/Rebasing Mechanism.

The compromised contract is Sperax's stablecoin contract (Sperax USD, USDs), which is out of CertiK's audit scope (staking and SperaxToken contracts).

References

SperaxUSD’s announcement:

• https://twitter.com/SperaxUSD/status/1622719484598386711
• https://twitter.com/SperaxUSD/status/1622003045776195587
• https://medium.com/sperax/usds-feb-3-exploit-report-from-engineering-team-9f0fd3cef00c