On 21 July 2024, UtopiaSphere token UPS was exploited for ~$521K via a flash loan exploit. The exploiter used flash loaned funds in order to manipulate the token price of UPS by taking advantage of the project’s swapBurn() mechanism which burns a portion of UPS when selling. The UPS/USDT pair has remained empty and inactive since the exploit.
This is the second incident involving UtopiaSphere who was also exploited, 3 months prior, on 8 April 2024, in that incident the exploiter gained approximately $28k. The exploiter exploited the same vulnerability by transferring UPS tokens to the pair which then burned the tokens, lowering reserves so the exploiter could drain the pair with a small amount of UPS.
Addresses
Vulnerable Contract Address: 0xe2bb1B04c978A8C8CC1E0bccA5AD30e274b69Bfa
Exploiter Wallet Address: 0x6e12ce089a8BedeA49532010229f0913475d8d9c
Step by Step
The pair is then synchronized to have 96.756M BSC-USD and 1 wei of UPS. The 5% transfer fee (~256K) is distributed to 32 nodeList addresses while 95% goes to the pair. The extreme reserve ratio enables the exploiter to swap out all 96.756M BSC-USD tokens from the pair with 4.733M UPS.
The _swapBurn() mechanism, that burns a portion of UPS tokens on a designated pair (by the designated router) when selling, allows the exploiter to manipulate reserve ratio on the pair and profit from it. By borrowing most of the supply and burning the remainder to leave 1 wei UPS, they could then use the imbalance to empty the USDT from the pair.
After the exploit the funds were swapped for 147.6 ETH and bridged to Ethereum wallet 0x2Eb88341BE58a04E6e7daCB32d01Ae2450dCC257.
Flashloan attacks are among the most common in the web3 ecosystem. From January to end of July 2024, we have documented 47 flashloan incidents (including this one), resulting in initial losses of over $91m. Of that figure, around $7.9m has so far been returned.
To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis here.