Arbitrum Stablecoin Exploit Has Happy Ending: Funds Returned

SperaxUSD team said person associated with exploit is not a hacker, and the action was probably a case of “experimenting”


A. Solano/ modified by Blockworks


A yield-automating protocol on Arbitrum was exploited over the weekend in an incident that boosted the hacker’s balance of their US dollar stablecoin Sperax (USDS). 

But in a plot twist, the team said Tuesday all funds had been returned — pointing to a $300,000 USDC transaction — and that Sperax would soon provide a timeline to resume SperaxUSD transfers.

The “hybrid” stablecoin, which first notified its users of the attack on Sunday, published a report late Monday detailing what went down. 

Although in its report SperaxUSD calls the person an “attacker,” the team has said separately in a tweet that the person associated with the address is “not a hacker,” and that it pledged not to  take any action if the funds were returned.

The team said the exploiter took advantage of an internal bug in the USDS token contract to change the balance to 9.7 billion on a multi-sig wallet. 

Before the team could block the contract, the attacker managed to exchange about $309,000 USDs to USDT, USDC and WETH. 

SperaxUSD said that on Dec. 13, it had upgraded the token contract to remedy an issue in the calculation of balances, which caused incompatibilities with DEXes. 

The exploit began with the attacker sending funds to a Gnosis Safe address, a multi-signature smart contract wallet, which triggered a bug in the USDs token contract. That’s how the balance jumped to 9.7 billion tokens.

The attacker then began to sell USDs on Arbitrum, likely 10,000 at a time. Some three hours after the attack, the SperaxUSD team was able to pause the action.

Holders of the USDs token have two types of tokens: rebasing (where supply is adjusted to control price) and non-rebasing. This means that a rebasing holder’s USDs balance increases automatically upon a rebase, which is triggered weekly. 

“Even though all the contracts that we develop go through multiple rounds of reviews and thorough testing, we still missed this edge case. We feel the attacker was just experimenting with the contract since the upgraded code is not published, however he/she did uncover a novel bug, it could have been an even worse situation (if it were planned),” the team said.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2023

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Cover Vertex.jpg


The proliferation of new perp DEXs has led to fragmented liquidity across various DEXs and chains. Vertex, known for its vertically-integrated DEX that includes spot, perpetual, and integrated money markets, is now tackling cross-chain liquidity fragmentation through horizontal integration with the launch of new Edge instances. Vertex's integrated offerings and cross-margined account structure amplify the benefits of new instances: native cross-chain spot trading, optimized cross-chain basis trading, consistent interest rates, reduced bridging friction, and more.


Plus, a dive into crypto’s ever-expanding unicorn club


Also, tokenization continues to grab headlines and one bitcoin miner stock soars Tuesday after inking a big deal


Fifteen million daily failed transactions disappeared from Solana


FTX debtors will pay the IRS $200M, with an outstanding lower priority claim of $685M


I’ve come to the realization that more attention is needed to create and sculpt the digital spaces where we live


The NYSE went down yesterday after a glitch caused a string of erroneous trades. Does DeFi fix this?