A user has taken to Twitter to break the news that there was an attack on Arbitrum USDs wherein a bug in auto-changing users led to the hack. According to one of the tweets in the series, the code half changed the account to a new style, using that change to calculate the other half of switching over.
The exploitation initiated with the user first sending money to an EOA address. This further triggered the migration of USDs accounting, which had a bug when the accounting already had funds.
The bug was difficult to track; however, the user who broke the news shared how they did it. Per another tweet in the series, the user utilized the binary search on the account balances to know which block had the problem. The contract bytecode was then decompiled, and then storage reads & writes were used to trace the internal flow of execution.
Another user gave more details, notifying the community that the hack of SperaxUSD had apparently caused a loss of $250,000 from the network. The attacker was able to inflate the supply of USDs without leaving any transfer log, not letting anyone know how significantly tokens were minted or moved.
Specifically speaking, the user who has done the act took advantage of a bug in the rebasing code. This sounds pretty much the way it should. The hacker exploited the flaw in the network to not leave any evidence of a malicious upgrade of SperaxUSD’s smart contract.
While the team behind the community is yet to address the concern, it can be verified through on-chain records that the hacker was able to take away $250,000 worth of stablecoins. Sperax has paused the system as of now to avoid any further damage. Had the attack come to notice before, the system could have been paused earlier to save the damage. Nonetheless, measures have been taken to mitigate any loss that may happen in the future.
The Sperax team has identified the address as kochironnosaif.eth, mentioning the same on Twitter even though it has been done by the user, who has also shared a screenshot to reveal that the attacker has slightly more than 23.5 ETH worth $38,859.
USDs is fully backed by a diverse portfolio of stablecoins like Tether and USD Coins. The team is not simply going to stop building the ecosystem post the incident.
It is important to note that SperaxUSD is currently standing at a market capitalization of $22.04 million, according to CoinMarketCap. Every token was then seen changing hands at the rate of $0.99, a drop of 1.12% in the last 24 hours. Now that the news is out on the internet, the figures are more likely to change unless the team Sperax addresses the concern directly.
A statement on how it plans to prevent future attacks like these would surely go a long way.