UtopiaSphere Second Flash Loan Exploit
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
UtopiaSphere (UPS) is a decentralized blockchain platform which offers a trading system, NFT marketplace, games, and social features. On July 21st, the platform was exploited through a flash loan attack, allowing $521k to be removed from the smart contract. The platform appears to be continuing to operate. It is unclear if the exploit has been acknowledged or any specific steps have been taken to compensate those affected.[1][2][3][4][5][6][7][8][9][10]
About UtopiaSphere
"Unveiling the UPS cryptocurrency ecosystem. Redefining digital finance. Welcome to a new era of digital finance, where UPS leads the charge in innovation and progress. Our ecosystem encompassses cutting edge technologies and dynamic features, promising users a transformative experience in the world of virtual currencies. One. Turing-quantified trading system, revolutionizing digital transactions. At the core of the UPS ecosystem lies our turing quantified trading system, a pioneering solution that revolutionizes digital transactions. Leveraging advanced algorithms and quantitative analysis, this system ensures optimal trading efficiency and accurancy, empowering users to navigate the markets with confidence. Two. NFT decentralized exchange trading. In our commitment to democratizing digital asset trading, UPS introduces an NFT decentralized exchange. This platform provides a secure and transparent marketplace for NFT transactions, fostering a thriving ecosystem where creators and collectors can interact freely and securely. Three. Blockchain gaming. Bridging cryptocurrency with interactive entertainment. Explore the fusion of cryptocurrency and gaming with UPS's blockchain gaming integration. Through strategic partnerships and innovative developments, we offer users an immersive gaming experience powered by blockchain technology. From in-game assets to decentralized economies, UPS is shaping the future of interactive entertainment. Four. Social connectivity. Building community and collaboration. Beyond transactions and trading, UPS emphasizes social connectivity, creating a vibrant community where users can engage, collaborate, and thrive. Through interactive forums, social features, and community events, we foster meaningful connections and collective growth within the UPS community. Join the UPS revolution. Experience the future of digital finance. Embrace the future of digital finance with UPS cryptocurrency. Whether you're a trader, collector, gamer, or social enthusiast, our ecosystem offers something for everyone. Join us on this journey of innovation, collaboration, and empowerment, and together let's redefine the landscape of digital finance."
The Reality
"Flashloan attacks are among the most common in the web3 ecosystem. From January to end of July 2024, we have documented 47 flashloan incidents (including this one), resulting in initial losses of over $91m. Of that figure, around $7.9m has so far been returned."
"This is the second incident involving UtopiaSphere who was also exploited, 3 months prior, on 8 April 2024, in that incident the exploiter gained approximately $28k. The exploiter exploited the same vulnerability by transferring UPS tokens to the pair which then burned the tokens, lowering reserves so the exploiter could drain the pair with a small amount of UPS."
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 21st, 2024 5:12:24 AM MDT | Attack Transaction | The attack transaction occurs on the blockchain. |
| August 5th, 2024 6:04:00 AM MDT | CertiK Analysis Report | CertiK publishes an analysis of the exploit and shares this on Twitter. |
Technical Details
"The _swapBurn() mechanism, that burns a portion of UPS tokens on a designated pair (by the designated router) when selling, allows the exploiter to manipulate reserve ratio on the pair and profit from it. By borrowing most of the supply and burning the remainder to leave 1 wei UPS, they could then use the imbalance to empty the USDT from the pair."
"The exploiter began by recursively borrowing a total of 89.672M USDT through flashloans, then minted 7.917M vUSDC tokens to borrow an additional 6.424M USDT."
"The 96.196M USDT was swapped for 810.833M UPS. Pre-swap, pair balance 560.128K USDT and 815.566M UPS. Post-swap, pair balance 96.756M USDT and 4,733,128.140045111774152584 UPS."
"The exploiter swapped 4.982M UPS for USDT. During the transfer of UPS to the pair, the swapBurn() mechanism is triggered, burning 95% of the transfer amount, leaving exactly 1 wei UPS in the pair."
"The pair is then synchronized to have 96.756M BSC-USD and 1 wei of UPS. The 5% transfer fee (~256K) is distributed to 32 nodeList addresses while 95% goes to the pair. The extreme reserve ratio enables the exploiter to swap out all 96.756M BSC-USD tokens from the pair with 4.733M UPS."
Total Amount Lost
"The exploiter repaid the flash loaned funds and was left with approximately $521k USDT."
The total amount lost has been estimated at $521,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
"After the exploit the funds were swapped for 147.6 ETH and bridged to Ethereum wallet 0x2Eb88341BE58a04E6e7daCB32d01Ae2450dCC257."
"The UPS/USDT pair has remained empty and inactive since the exploit."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
The platform appears to be continuing to operate despite the exploit.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Aug 14, 2024)
- ↑ BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Aug 14, 2024)
- ↑ UPS/USDT - UtopiaSphere Price on Pancakeswap V2 (BSC) | GeckoTerminal (Accessed Aug 14, 2024)
- ↑ - YouTube (Accessed Aug 14, 2024)
- ↑ https://www.utopiasphere.com/ (Accessed Aug 14, 2024)
- ↑ https://www.certik.com/resources/blog/utopiasphere-incident-analysis (Accessed Aug 14, 2024)
- ↑ https://pbs.twimg.com/media/GOKtKCUaAAAhzzp?format=jpg&name=large (Accessed Aug 14, 2024)
- ↑ @CertiK Twitter (Accessed Aug 14, 2024)
- ↑ 유토피아(UPS) - YouTube (Accessed Aug 21, 2024)