Arbitrum Stablecoin Exploit Has Happy Ending: Funds Returned

SperaxUSD team said person associated with exploit is not a hacker, and the action was probably a case of “experimenting”

article-image

A. Solano/Shutterstock.com modified by Blockworks

share

A yield-automating protocol on Arbitrum was exploited over the weekend in an incident that boosted the hacker’s balance of their US dollar stablecoin Sperax (USDS). 

But in a plot twist, the team said Tuesday all funds had been returned — pointing to a $300,000 USDC transaction — and that Sperax would soon provide a timeline to resume SperaxUSD transfers.

The “hybrid” stablecoin, which first notified its users of the attack on Sunday, published a report late Monday detailing what went down. 

Although in its report SperaxUSD calls the person an “attacker,” the team has said separately in a tweet that the person associated with the address is “not a hacker,” and that it pledged not to  take any action if the funds were returned.

The team said the exploiter took advantage of an internal bug in the USDS token contract to change the balance to 9.7 billion on a multi-sig wallet. 

Before the team could block the contract, the attacker managed to exchange about $309,000 USDs to USDT, USDC and WETH. 

SperaxUSD said that on Dec. 13, it had upgraded the token contract to remedy an issue in the calculation of balances, which caused incompatibilities with DEXes. 

The exploit began with the attacker sending funds to a Gnosis Safe address, a multi-signature smart contract wallet, which triggered a bug in the USDs token contract. That’s how the balance jumped to 9.7 billion tokens.

The attacker then began to sell USDs on Arbitrum, likely 10,000 at a time. Some three hours after the attack, the SperaxUSD team was able to pause the action.

Holders of the USDs token have two types of tokens: rebasing (where supply is adjusted to control price) and non-rebasing. This means that a rebasing holder’s USDs balance increases automatically upon a rebase, which is triggered weekly. 

“Even though all the contracts that we develop go through multiple rounds of reviews and thorough testing, we still missed this edge case. We feel the attacker was just experimenting with the contract since the upgraded code is not published, however he/she did uncover a novel bug, it could have been an even worse situation (if it were planned),” the team said.


Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research report - cover graphics (1).jpg

Research

In this report, we dive into crypto private market data to gather insights on where the future of the industry is headed. Despite a notable downturn in private raises, capital continues to infuse promising projects that aim to transform payments, banking, consumer experiences, community, and more, with 2023 being the fourth-largest year for crypto venture capital.

article-image

Ethereum Dencun will enable Ethereum transactions to be submitted as blobs, potentially alleviating the costs of posting data on the blockchain

article-image

After a rocky start, bitcoin ETF shareholders are now well in the green

article-image

Revolut said that the standalone crypto exchange is currently “invite only”

article-image

The stock price jump comes after Coinbase reported ending its seven-quarter run of net losses during the fourth quarter

article-image

BUZZ holds shares of Coinbase, Robinhood and MicroStrategy

article-image

Opinion: Even though I didn’t pay for my “Diamond Hands” burger with BTC, don’t let that fool you into thinking that crypto’s development is futile