Incident Summary
On 21 July 2024, UtopiaSphere token UPS was exploited for ~$521K via a flash loan exploit. The exploiter used flash loaned funds in order to manipulate the token price of UPS by taking advantage of the project’s swapBurn() mechanism which burns a portion of UPS when selling. The UPS/USDT pair has remained empty and inactive since the exploit.
This is the second incident involving UtopiaSphere who was also exploited, 3 months prior, on 8 April 2024, in that incident the exploiter gained approximately $28k. The exploiter exploited the same vulnerability by transferring UPS tokens to the pair which then burned the tokens, lowering reserves so the exploiter could drain the pair with a small amount of UPS.
Exploit Transaction
- Exploit transaction https://bscscan.com/tx/0x1ddf415a4b18d25e87459ad1416077fe7398d5504171d4ca36e757b1a889f604
Attack Flow
Addresses
Vulnerable Contract Address: 0xe2bb1B04c978A8C8CC1E0bccA5AD30e274b69Bfa
Exploiter Wallet Address: 0x6e12ce089a8BedeA49532010229f0913475d8d9c
Step by Step
- The exploiter began by recursively borrowing a total of 89.672M USDT through flashloans, then minted 7.917M vUSDC tokens to borrow an additional 6.424M USDT.
- The 96.196M USDT was swapped for 810.833M UPS.
- Pre-swap, pair balance
- 560.128K USDT and 815.566M UPS.
- Post-swap, pair balance
- 96.756M USDT and 4,733,128.140045111774152584 UPS.
- The exploiter swapped 4.982M UPS for USDT. During the transfer of UPS to the pair, the swapBurn() mechanism is triggered, burning 95% of the transfer amount, leaving exactly 1 wei UPS in the pair.
The pair is then synchronized to have 96.756M BSC-USD and 1 wei of UPS. The 5% transfer fee (~256K) is distributed to 32 nodeList addresses while 95% goes to the pair. The extreme reserve ratio enables the exploiter to swap out all 96.756M BSC-USD tokens from the pair with 4.733M UPS.
- The exploiter repaid the flash loaned funds and was left with approximately $521k USDT.
Vulnerability
- _swapBurn()
- _burn()
- _update()
- _burn()
The _swapBurn() mechanism, that burns a portion of UPS tokens on a designated pair (by the designated router) when selling, allows the exploiter to manipulate reserve ratio on the pair and profit from it. By borrowing most of the supply and burning the remainder to leave 1 wei UPS, they could then use the imbalance to empty the USDT from the pair.
Fund Flow
After the exploit the funds were swapped for 147.6 ETH and bridged to Ethereum wallet 0x2Eb88341BE58a04E6e7daCB32d01Ae2450dCC257.
The Stats
Flashloan attacks are among the most common in the web3 ecosystem. From January to end of July 2024, we have documented 47 flashloan incidents (including this one), resulting in initial losses of over 7.9m has so far been returned.
To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis here.
