CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Inflated Books: The $250K Attack on Sperax USD
1/8/2024
Inflated Books: The $250K Attack on Sperax USD

Project name: Sperax USD/Sperax

Project type: Token

Date of exploit: Feb 4, 2023

Asset loss: $250k

Vulnerability: Incorrect Logic in Migration/Rebasing Mechanism

Date of audit report publishing:

  • Dec 22, 2021: Sperax VI
  • Oct 26, 2021: Sperax

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Sperax USD is a DeFi project providing services including USDs (liquid-staked stablecoin) and Demeter (multi-DEX liquidity management protocol) on Arbitrum. The USDs contract was exploited by a potential vulnerability in the accounting migration mechanism. The attacker utilized this vulnerability to inflate the supply of USDs.

Nature of the Vulnerability

  • Since the contract was unverified, we can only know the USDs updated the balance of the account incorrectly.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.53.23 AM

Conclusion

On Feb 4, 2023, SperaxUSD was attacked, leading to a loss of $250K due to the incorrect logic in its Migration/Rebasing Mechanism.

The compromised contract is Sperax's stablecoin contract (Sperax USD, USDs), which is out of CertiK's audit scope (staking and SperaxToken contracts).

References

SperaxUSD’s announcement:

Related Stories
Socket Tech Incident Analysis
Blogs
Incident Analysis
On 16 January 2024, Socket Tech was exploited by EOA 0x50df for approximately $3.3 million. The attacker took advantage of a vulnerability within the performAction function of a newly deployed contract which has an incomplete user input validation. Users who had approved the vulnerable SocketGateway contract had their funds stolen stolen. From this attack there were 230 wallets that lost funds with the biggest victim losing $656k USDC.
1/18/2024
Post Mortem: Hashflow
Blogs
Incident Analysis
​​On June 14th, 2023, Hashflow experienced a loss of ~$605k across five chains. The vulnerable contract is unverified and the vulnerable `0x1ce5` function contains a `transferFrom` function the attacker could trigger to steal user funds when approved. The vulnerable function was absent from the audited codebase, it is out of the audit scope.
1/7/2024
Platypus Finance Incident Analysis
Reports
Incident Analysis
On 16 February, 2023, at 07:16:54 PM UTC, Platypus Finance, the project behind the USP stablecoin, was attacked for approximately $8.5 million. The attack caused a large decline in the price of $USP of $0.33, (or down more than 66% compared to its intended $1 peg. The project’s native PTP token also lost a quarter of its value in a day. The attacker minted 40 million USP tokens from the MasterPlatypusV4 contract using 44 million Platypus LP-USDC tokens as collateral. So far, the team has been able to recover approximately $2.4 million USDC from the attack contract.
3/10/2023
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;