Back to all stories
Blogs
Incident Analysis
Inflated Books: The $250K Attack on Sperax USD
1/8/2024
Inflated Books: The $250K Attack on Sperax USD

Project name: Sperax USD/Sperax

Project type: Token

Date of exploit: Feb 4, 2023

Asset loss: $250k

Vulnerability: Incorrect Logic in Migration/Rebasing Mechanism

Date of audit report publishing:

  • Dec 22, 2021: Sperax VI
  • Oct 26, 2021: Sperax

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Sperax USD is a DeFi project providing services including USDs (liquid-staked stablecoin) and Demeter (multi-DEX liquidity management protocol) on Arbitrum. The USDs contract was exploited by a potential vulnerability in the accounting migration mechanism. The attacker utilized this vulnerability to inflate the supply of USDs.

Nature of the Vulnerability

  • Since the contract was unverified, we can only know the USDs updated the balance of the account incorrectly.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.53.23 AM

Conclusion

On Feb 4, 2023, SperaxUSD was attacked, leading to a loss of $250K due to the incorrect logic in its Migration/Rebasing Mechanism.

The compromised contract is Sperax's stablecoin contract (Sperax USD, USDs), which is out of CertiK's audit scope (staking and SperaxToken contracts).

References

SperaxUSD’s announcement: