Back to all stories
Blogs
Incident Analysis
UtopiaSphere Incident Analysis
7/31/2024
UtopiaSphere Incident Analysis

Incident Summary

On 21 July 2024, UtopiaSphere token UPS was exploited for ~$521K via a flash loan exploit. The exploiter used flash loaned funds in order to manipulate the token price of UPS by taking advantage of the project’s swapBurn() mechanism which burns a portion of UPS when selling. The UPS/USDT pair has remained empty and inactive since the exploit.

This is the second incident involving UtopiaSphere who was also exploited, 3 months prior, on 8 April 2024, in that incident the exploiter gained approximately $28k. The exploiter exploited the same vulnerability by transferring UPS tokens to the pair which then burned the tokens, lowering reserves so the exploiter could drain the pair with a small amount of UPS.

Exploit Transaction

Attack Flow

Addresses

Vulnerable Contract Address: 0xe2bb1B04c978A8C8CC1E0bccA5AD30e274b69Bfa

Exploiter Wallet Address: 0x6e12ce089a8BedeA49532010229f0913475d8d9c

Step by Step

  1. The exploiter began by recursively borrowing a total of 89.672M USDT through flashloans, then minted 7.917M vUSDC tokens to borrow an additional 6.424M USDT.

utopia2

  1. The 96.196M USDT was swapped for 810.833M UPS.
  • Pre-swap, pair balance
    • 560.128K USDT and 815.566M UPS.
  • Post-swap, pair balance
    • 96.756M USDT and 4,733,128.140045111774152584 UPS.
  1. The exploiter swapped 4.982M UPS for USDT. During the transfer of UPS to the pair, the swapBurn() mechanism is triggered, burning 95% of the transfer amount, leaving exactly 1 wei UPS in the pair. image

The pair is then synchronized to have 96.756M BSC-USD and 1 wei of UPS. The 5% transfer fee (~256K) is distributed to 32 nodeList addresses while 95% goes to the pair. The extreme reserve ratio enables the exploiter to swap out all 96.756M BSC-USD tokens from the pair with 4.733M UPS.

Screenshot 2024-08-01 at 11.33.36-removebg-preview

  1. The exploiter repaid the flash loaned funds and was left with approximately $521k USDT.

Vulnerability

  • _swapBurn()
    • _burn()
      • _update()

The _swapBurn() mechanism, that burns a portion of UPS tokens on a designated pair (by the designated router) when selling, allows the exploiter to manipulate reserve ratio on the pair and profit from it. By borrowing most of the supply and burning the remainder to leave 1 wei UPS, they could then use the imbalance to empty the USDT from the pair.

utopia5

Fund Flow

After the exploit the funds were swapped for 147.6 ETH and bridged to Ethereum wallet 0x2Eb88341BE58a04E6e7daCB32d01Ae2450dCC257.

utopia6

The Stats

Flashloan attacks are among the most common in the web3 ecosystem. From January to end of July 2024, we have documented 47 flashloan incidents (including this one), resulting in initial losses of over $91m. Of that figure, around $7.9m has so far been returned.

utopia7

To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis here.