Hyperliquid Playground Ep. 1: Liquid Staking
OverviewOn December 1, 2024, Spectral’s Syntax V2 bonding contract was exploited due to an infinite approval vulnerability in the AgentToken.sol contract. The attacker leveraged a flash loan to manipulate token approvals, enabling the transfer of almost all AgentToken.sol funds from the bonding contract, disrupting the bonding curve calculations.
By artificially reducing token balances, the attacker caused the curve to misprice tokens, allowing them to extract a disproportionately large amount of SPEC tokens from the liquidity pool. A total of 14,793 SPEC tokens, worth approximately $250,000, were drained in the attack.
About ProjectSpectral is at the forefront of a decentralized revolution, envisioning a future where onchain agents are not just a luxury for the tech-savvy but an accessible tool for everyone. Their’s mission is to transform the way individuals interact with the crypto ecosystem by establishing the Onchain Agent Economy — a pioneering framework that empowers users to create, own, and govern autonomous agents capable of executing sophisticated strategies round the clock.
Exploit DetailsVulnerable Contract: 0xD84B6CAccFCc9FA5F48c6277C40FaC0620f1d0c2
Attacker Address : 0x000000000000E921f69f1df9E0540ccdD4847A0D
Attacker Contract Address : 0x637A5Cdd63Eae6A673bE0fFbFBaf9830F905044c
Attack Transaction: 0xa3535c70c
Attack ProcessThe attacker borrowed SPEC tokens through a flash loan to have sufficient initial liquidity for the exploit.
The attacker swapped the borrowed SPEC tokens for AgentToken.sol tokens in the AutonomousAgentDeployer.solcontract using the swapExactSPECForTokens function.
The attacker swapped the AgentToken.sol back for SPEC in the AutonomousAgentDeployer.sol contract through swapExactTokensForSPEC .
The AutonomousAgentDeployer.sol calls safeTransferFrom to transfer tokens from the user to it.
Since AgentToken.sol is being transferred back to the AgentBalances.sol contract, the transfer tax is applied since it is an contract.
Inside the tax calculation code, a faulty line granted infinite approval of AgentToken.sol for the AgentBalances.solcontract. (See at line 90)
To exploit this, the attacker called the deposit function on the AgentBalances.sol contract.
This function allowed them to transfer nearly all available AgentToken.sol balances from AutonomousAgentDeployer.sol to AgentBalances.sol. This leads to the manipulation of bonding curve.
The bonding curve, using an XYK (constant product) formula, miscalculated the value of AgentToken.sol, making it appear much more valuable than it actually was.
The attacker used the inflated price of AgentToken.sol to swap a small amount of it back for an outsized amount of SPEC tokens in the liquidity pool.
By repeating the above process, the attacker drained approximately 14,793 SPEC tokens from the bonding curve, worth around $250,000 at the time.
The Root CauseThe root cause of the exploit was an unintended infinite approval in the AgentToken.sol contract during tax calculation. This approval granted the AgentBalances.sol contract unrestricted access to spend AgentToken.sol from the AutonomousAgentDeployer.sol contract.
The attacker exploited this oversight to manipulate token balances, causing the bonding curve to misprice tokens and allowing them to drain liquidity.
Flow of FundsSee the funds flow here:
Post Exploit Scenes:The team responded to the exploit quickly through their twitter(x) account.
How could they have prevented the Exploit?- Avoid Unnecessary Infinite Approvals: The approval logic in the tax mechanism should have been avoided entirely unless explicitly necessary.
- The deposit() function on AgentBalances.sol should have been restricted to trusted entities or removed entirely from public access, ensuring only authorized users or contracts could call it.
- Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.
Decoding Spectra Lab’s Bonding Contract $250K Exploit was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.