Arbitrum Stablecoin Exploit Has Happy Ending: Funds Returned

SperaxUSD team said person associated with exploit is not a hacker, and the action was probably a case of “experimenting”

article-image

A. Solano/Shutterstock.com modified by Blockworks

share

A yield-automating protocol on Arbitrum was exploited over the weekend in an incident that boosted the hacker’s balance of their US dollar stablecoin Sperax (USDS). 

But in a plot twist, the team said Tuesday all funds had been returned — pointing to a $300,000 USDC transaction — and that Sperax would soon provide a timeline to resume SperaxUSD transfers.

The “hybrid” stablecoin, which first notified its users of the attack on Sunday, published a report late Monday detailing what went down. 

Although in its report SperaxUSD calls the person an “attacker,” the team has said separately in a tweet that the person associated with the address is “not a hacker,” and that it pledged not to  take any action if the funds were returned.

The team said the exploiter took advantage of an internal bug in the USDS token contract to change the balance to 9.7 billion on a multi-sig wallet. 

Before the team could block the contract, the attacker managed to exchange about $309,000 USDs to USDT, USDC and WETH. 

SperaxUSD said that on Dec. 13, it had upgraded the token contract to remedy an issue in the calculation of balances, which caused incompatibilities with DEXes. 

The exploit began with the attacker sending funds to a Gnosis Safe address, a multi-signature smart contract wallet, which triggered a bug in the USDs token contract. That’s how the balance jumped to 9.7 billion tokens.

The attacker then began to sell USDs on Arbitrum, likely 10,000 at a time. Some three hours after the attack, the SperaxUSD team was able to pause the action.

Holders of the USDs token have two types of tokens: rebasing (where supply is adjusted to control price) and non-rebasing. This means that a rebasing holder’s USDs balance increases automatically upon a rebase, which is triggered weekly. 

“Even though all the contracts that we develop go through multiple rounds of reviews and thorough testing, we still missed this edge case. We feel the attacker was just experimenting with the contract since the upgraded code is not published, however he/she did uncover a novel bug, it could have been an even worse situation (if it were planned),” the team said.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates (2).png

Research

We’re bullish on the PUMP token. We believe Pump.fun's brand strength, existing integrations, product roadmap, and strategic levers justify PUMP's TGE valuation, and expect the token to re-rate meaningfully higher in the months ahead.

article-image

Bitcoin’s recent peak is a victory lap for curvers left and right

article-image

Securitize CEO Carlos Domingo says institutions are eager to get exposure to tokenization

article-image

Trade isn’t war and prosperity isn’t a contest

article-image

Data shows frontrunning has declined on the network compared to last year

article-image

Industry watchers weigh in on what’s coming for bitcoin, M&A and tokenization before the year wraps

article-image

“We are open 24/7/365, but good luck getting an employee to pick up.”