Spartan Protocol: Flash loan + inflated pool balance → LP burn liquidity share manipulation
Spartan Protocol's custom AMM used live pool balance instead of cached reserves for LP share calculation, letting an attacker inflate the pool via direct transfer and drain $30.5M by burning LP tokens.
Summary #
Spartan Protocol suffered a DEX / Synthetic Assets / AMM on 2021-05-01, resulting in a loss of approximately $31M.
What happened #
Spartan Protocol's custom AMM used live pool balance instead of cached reserves for LP share calculation, letting an attacker inflate the pool via direct transfer and drain $30.5M by burning LP tokens.
Linked factors #
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — core protocol code was in CertiK's audit scope; the bug in calcLiquidityShare() was missed]
- RD-F-053 — causal : ★ Oracle source = spot DEX pool (no TWAP, no fallback) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-055 — related : Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-056 — related : Single-pool oracle (no medianization) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Large flash loan (100K WBNB) from PancakeSwap; repeated swap-add-burn pattern across multiple transactions; significant WBNB/SPARTA pool imb...]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 100K WBNB flash loan ($61M notional)]