Verify a decision

{"actor":"system:backfill","investigation_id":"9b5672f5-5c92-4c3c-a51b-1d11c112c259","kind":"publish","page_slug":"spartan-protocol","published_at":"2026-05-31T07:00:06.875Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Spartan Protocol","sections":[{"content":"On May 2, 2021, an attacker drained approximately $30 million from Spartan Protocol's liquidity pools on Binance Smart Chain. The exploit began with a 100,000 WBNB flash loan from PancakeSwap. The attacker then conducted 15 sequential swaps through the vulnerable SPARTA/WBNB pool to accumulate approximately 5.2 million SPARTA tokens and mint roughly 933,351 pool (LP) tokens. After minting LP tokens, the attacker deposited an additional 21,632 WBNB and 2.6 million SPARTA directly into the pool to artificially inflate its reported balance. Because the protocol's liquidity share calculation function calcLiquidityShare() queried the current (inflatable) pool balance rather than a cached balance, burning the LP tokens allowed the attacker to withdraw a disproportionately large share of underlying assets. The attacker repeated this cycle multiple times, repaid the flash loan with a 260 WBNB fee, and exited by converting proceeds through the 1inch aggregator and Nerve Finance into BTCB and BETH before bridging out via Anyswap. The exploit transaction hash is 0xb64ae25b0d836c25d115a9368319902c972a0215bd108ae17b1b9617dfb93af8 and the attacker's wallet is 0x3b6e77722e2bbe97c1cfa337b42c0939aeb83671.","heading":"May 2021 Flash Loan Exploit","severity":"critical","sources":[{"credibility":2,"name":"PeckShield — The Spartan Incident: Root Cause Analysis","type":"research","url":"https://peckshield.medium.com/the-spartan-incident-root-cause-analysis-a0324cb4b42a"},{"credibility":2,"name":"Halborn — Explained: The Spartan Protocol Hack (May 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-spartan-protocol-hack-may-2021"},{"credibility":2,"name":"Amber Group — Exploiting Spartan Protocol's LP-Share Calculation Flaws","type":"research","url":"https://medium.com/amber-group/exploiting-spartan-protocols-lp-share-calculation-flaws-391437855e74"},{"credibility":1,"name":"CoinDesk — Binance Smart Chain's Spartan Protocol Loses $30M+ in Exploit","type":"news_article","url":"https://www.coindesk.com/markets/2021/05/02/binance-smart-chains-spartan-protocol-loses-30m-in-exploit"}]},{"content":"The root cause of the exploit was a logic flaw in the calcLiquidityShare() function within the protocol's smart contracts. This function, used to determine how many underlying assets a holder can redeem when burning LP tokens, referenced the pool's live current balance rather than stored (cached) values held in baseAmountPooled and tokenAmountPooled. Because the current balance can be inflated within a single transaction block using a flash loan, an attacker could cause the contract to believe the pool was significantly larger than it was at any stable state. Burning LP tokens against this inflated balance produced a withdrawal that far exceeded the attacker's actual proportional claim. Security firm Amber Group noted that the correct fix required using cached balance variables and that slippage protections were bypassed by splitting the exploit into multiple sequential sub-transactions within one atomic block. The flaw was architectural: the protocol's AMM design, which draws inspiration from THORChain's slip-based fee model, did not account for within-transaction balance manipulation.","heading":"Smart Contract Vulnerability — Liquidity Share Miscalculation","severity":"critical","sources":[{"credibility":2,"name":"PeckShield — The Spartan Incident: Root Cause Analysis","type":"research","url":"https://peckshield.medium.com/the-spartan-incident-root-cause-analysis-a0324cb4b42a"},{"credibility":2,"name":"Amber Group — Exploiting Spartan Protocol's LP-Share Calculation Flaws","type":"research","url":"https://medium.com/amber-group/exploiting-spartan-protocols-lp-share-calculation-flaws-391437855e74"}]},{"content":"Spartan Protocol's smart contracts were audited by CertiK prior to the protocol's launch. Despite this review, the critical vulnerability in the liquidity share calculation function was not identified. The team acknowledged in their official post-exploit statement that \"the Spartan Contracts were fully audited by Certik prior to launch, along with the usual ongoing code reviews,\" and conceded that \"there are no 100% safeguards.\" CertiK maintains a project page for Spartan Protocol on its security leaderboard. The exploit is widely cited in the security community as an example of an audit failing to catch a flash loan-enabled manipulation vector, reinforcing the general limitation of point-in-time smart contract audits in detecting economic attack paths that depend on runtime conditions.","heading":"CertiK Audit — Pre-Exploit Security Review","severity":"high","sources":[{"credibility":2,"name":"SpartanProtocol Official Medium — Exploit Statement","type":"official","url":"https://spartanprotocol.medium.com/today-spartan-protocol-was-subject-to-an-exploit-targeting-the-liquidity-pools-8589b2069cef"},{"credibility":2,"name":"CertiK — Spartan Protocol Project Page","type":"research","url":"https://www.certik.com/projects/spartanprotocol"},{"credibility":2,"name":"GitHub — spartan-protocol/resources CertiK Audit PDF","type":"official","url":"https://github.com/spartan-protocol/resources/blob/master/certik-audit.pdf"}]},{"content":"Within hours of the May 2, 2021 exploit, the Spartan Protocol team published an official acknowledgment on Medium and Twitter. The team stated it was in communication with Binance regarding the source of the approximately $60 million in BNB used by the attacker and whether any link to a KYC-verified account existed. No public confirmation of attacker identification has been reported by credible sources. Amber Group separately contacted the team on May 3 with a proof-of-concept for a follow-on exploit; the team patched the relevant Utils contract within 19 minutes, though this initial patch introduced secondary issues. The team subsequently published a comprehensive rebuilding plan. Key elements included: issuance of a new SPARTA token with a 1:1 one-way bridge for holders of the old token, a snapshot at block 7048833 to record LP positions before the exploit, and allocation of approximately 20 million SPARTA tokens (from the remaining ~35 million undistributed supply) as proportional compensation to affected liquidity providers. Only SPARTA token losses were recoverable under this plan; other assets drained from pools were not restored through protocol mechanisms. A Code4rena security bounty was announced for the V2 contracts, funded by redirecting BNB previously held in a community bounty wallet.","heading":"Team Response and Compensation Plan","severity":"high","sources":[{"credibility":2,"name":"SpartanProtocol Medium — Official Exploit Statement","type":"official","url":"https://spartanprotocol.medium.com/today-spartan-protocol-was-subject-to-an-exploit-targeting-the-liquidity-pools-8589b2069cef"},{"credibility":2,"name":"SpartanProtocol Medium — Rebuilding Spartan Protocol","type":"official","url":"https://spartanprotocol.medium.com/rebuilding-spartan-protocol-25a2901e4637"},{"credibility":2,"name":"CoinTelegraph — Spartan Protocol Exploit Results in Loss of $30M","type":"news_article","url":"https://cointelegraph.com/news/spartan-protocol-exploit-results-in-loss-of-30m"}]},{"content":"No credible source has reported that any portion of the approximately $30 million stolen in the May 2021 exploit was recovered. The team sought Binance's assistance in tracing the BNB used by the attacker, but no arrest, identification, or restitution has been publicly confirmed. The attacker's wallet (0x3b6e77722e2bbe97c1cfa337b42c0939aeb83671) held the exploit proceeds and conversion to BTCB/BETH via cross-chain bridges made tracing significantly harder. Affected liquidity providers received partial compensation only in newly-issued SPARTA tokens, which itself traded at a fraction of its pre-exploit value, substantially reducing the real value of any compensation received.","heading":"Fund Recovery","severity":"high","sources":[{"credibility":2,"name":"Halborn — Explained: The Spartan Protocol Hack (May 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-spartan-protocol-hack-may-2021"},{"credibility":2,"name":"SpartanProtocol Medium — Rebuilding Spartan Protocol","type":"official","url":"https://spartanprotocol.medium.com/rebuilding-spartan-protocol-25a2901e4637"}]},{"content":"Spartan Protocol was conceived and developed by a self-described \"pseudo-anonymous group of developers\" who cited decentralization philosophy as the reason for not disclosing their identities, drawing explicit comparison to Bitcoin's anonymous origins and to THORChain's pseudonymous team. No named founders, executive team, or lead developers have been publicly identified. The protocol launched with a fair-distribution model (Proof-of-Burn) that allocated no tokens to founders or a treasury. While anonymity is common in DeFi, the complete absence of publicly accountable individuals reduces accountability mechanisms in the event of loss or dispute, as demonstrated by the inability to hold any party legally responsible following the $30 million exploit.","heading":"Anonymous / Pseudonymous Team","severity":"medium","sources":[{"credibility":2,"name":"SpartanProtocol Medium — Announcing the Spartan Protocol","type":"official","url":"https://medium.com/spartanprotocol/announcing-the-spartan-protocol-e15af93a8a8f"},{"credibility":2,"name":"BSC News — Project Insight: Spartan Protocol","type":"news_article","url":"https://bsc.news/post/spartan-protocol-project-review-incentivized-liquidity-and-synthetic-asset-generation"}]},{"content":"Spartan Protocol V2 launched on the BNB Chain mainnet in October 2021, approximately five months after the exploit. Four initial pools (BNB, BTCB, BUSD, and ETH) entered a 7-day initialization phase on approximately October 5, 2021, during which liquidity could be deposited and swaps executed but withdrawals were restricted. V2 incorporated the cached-balance fix and underwent additional security review including a Code4rena contest. As of May 2026, the protocol remains technically operational, with a DApp accessible at spartanprotocol.org. However, the SPARTA token trades at approximately $0.0002, representing a decline of more than 99.9% from its all-time high of $2.25. CoinGecko reports a market capitalization of approximately $15,000, with 24-hour trading volume of under $200. CoinLore reported no price data received after April 2025, suggesting near-total market inactivity. The protocol has not attracted significant new liquidity or user activity since the exploit.","heading":"V2 Relaunch and Current Status","severity":"medium","sources":[{"credibility":2,"name":"Smart Liquidity Research — Spartan Protocol V2 Mainnet Launch","type":"news_article","url":"https://smartliquidity.info/2021/10/05/spartan-protocol-v2-mainnet-launch/"},{"credibility":2,"name":"CoinGecko — Spartan Protocol (SPARTA) Price","type":"other","url":"https://www.coingecko.com/en/coins/spartan-protocol"},{"credibility":2,"name":"Spartan Protocol DApp","type":"official","url":"https://spartanprotocol.org/"}]}],"sources_used":[{"name":"CoinDesk — Binance Smart Chain's Spartan Protocol Loses $30M+ in Exploit","type":"news_article","url":"https://www.coindesk.com/markets/2021/05/02/binance-smart-chains-spartan-protocol-loses-30m-in-exploit"},{"name":"PeckShield — The Spartan Incident: Root Cause Analysis","type":"research","url":"https://peckshield.medium.com/the-spartan-incident-root-cause-analysis-a0324cb4b42a"},{"name":"Halborn — Explained: The Spartan Protocol Hack (May 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-spartan-protocol-hack-may-2021"},{"name":"Amber Group — Exploiting Spartan Protocol's LP-Share Calculation Flaws","type":"research","url":"https://medium.com/amber-group/exploiting-spartan-protocols-lp-share-calculation-flaws-391437855e74"},{"name":"SpartanProtocol Medium — Official Exploit Statement","type":"official","url":"https://spartanprotocol.medium.com/today-spartan-protocol-was-subject-to-an-exploit-targeting-the-liquidity-pools-8589b2069cef"},{"name":"SpartanProtocol Medium — Rebuilding Spartan Protocol","type":"official","url":"https://spartanprotocol.medium.com/rebuilding-spartan-protocol-25a2901e4637"},{"name":"SpartanProtocol Medium — Announcing the Spartan Protocol","type":"official","url":"https://medium.com/spartanprotocol/announcing-the-spartan-protocol-e15af93a8a8f"},{"name":"CertiK — Spartan Protocol Project Page","type":"research","url":"https://www.certik.com/projects/spartanprotocol"},{"name":"GitHub — spartan-protocol/resources CertiK Audit PDF","type":"official","url":"https://github.com/spartan-protocol/resources/blob/master/certik-audit.pdf"},{"name":"CoinTelegraph — Spartan Protocol Exploit Results in Loss of $30M","type":"news_article","url":"https://cointelegraph.com/news/spartan-protocol-exploit-results-in-loss-of-30m"},{"name":"BSC News — Project Insight: Spartan Protocol","type":"news_article","url":"https://bsc.news/post/spartan-protocol-project-review-incentivized-liquidity-and-synthetic-asset-generation"},{"name":"Smart Liquidity Research — Spartan Protocol V2 Mainnet Launch","type":"news_article","url":"https://smartliquidity.info/2021/10/05/spartan-protocol-v2-mainnet-launch/"},{"name":"CoinGecko — Spartan Protocol (SPARTA) Price","type":"other","url":"https://www.coingecko.com/en/coins/spartan-protocol"},{"name":"BeInCrypto — Spartan DeFi Suffers $30M Loss in BSC Flash Loan Attack","type":"news_article","url":"https://beincrypto.com/spartan-defi-suffers-30m-loss-bsc-flash-loan-attack/"}],"summary":"Spartan Protocol is a BSC-based decentralized liquidity protocol offering token swapping and synthetic asset generation via a liquidity-sensitive AMM. On May 2, 2021, a flash loan exploit targeting a flaw in the protocol's liquidity share calculation resulted in the loss of approximately $30 million in user funds, none of which were verifiably recovered. The protocol relaunched as V2 in October 2021 but has seen drastically reduced activity and a near-total collapse in token value.","timeline":[{"date":"2020-01-01","event":"Spartan Protocol V1 launches on Binance Smart Chain with a Proof-of-Burn token distribution model; no founder or treasury tokens allocated.","source":"SpartanProtocol Medium","source_url":"https://medium.com/spartanprotocol/announcing-the-spartan-protocol-e15af93a8a8f"},{"date":"2020-10-01","event":"CertiK completes a security audit of Spartan Protocol's smart contracts prior to launch. The critical liquidity share calculation vulnerability is not identified.","source":"SpartanProtocol Medium / CertiK","source_url":"https://spartanprotocol.medium.com/today-spartan-protocol-was-subject-to-an-exploit-targeting-the-liquidity-pools-8589b2069cef"},{"date":"2021-05-02","event":"Attacker exploits Spartan Protocol's SPARTA/WBNB liquidity pool using a 100,000 WBNB flash loan from PancakeSwap, draining approximately $30 million by manipulating the calcLiquidityShare() function to inflate the pool's reported balance before burning LP tokens.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2021/05/02/binance-smart-chains-spartan-protocol-loses-30m-in-exploit"},{"date":"2021-05-02","event":"Spartan Protocol team posts official acknowledgment of the exploit on Medium and Twitter; states it is in communication with Binance to trace the BNB used by the attacker.","source":"SpartanProtocol Medium","source_url":"https://spartanprotocol.medium.com/today-spartan-protocol-was-subject-to-an-exploit-targeting-the-liquidity-pools-8589b2069cef"},{"date":"2021-05-02","event":"PeckShield publishes a root cause analysis of the Spartan Protocol exploit, identifying the calcLiquidityShare() current-balance-query flaw.","source":"PeckShield Medium","source_url":"https://peckshield.medium.com/the-spartan-incident-root-cause-analysis-a0324cb4b42a"},{"date":"2021-05-03","event":"Amber Group contacts the Spartan Protocol team with a proof-of-concept for a second exploit vector. The team patches the Utils contract within 19 minutes.","source":"Amber Group Medium","source_url":"https://medium.com/amber-group/exploiting-spartan-protocols-lp-share-calculation-flaws-391437855e74"},{"date":"2021-05-01","event":"Spartan Protocol publishes a rebuilding plan: new SPARTA token with 1:1 bridge, snapshot at block 7048833, approximately 20 million SPARTA in LP compensation, and a Code4rena bounty for V2 contract security.","source":"SpartanProtocol Medium","source_url":"https://spartanprotocol.medium.com/rebuilding-spartan-protocol-25a2901e4637"},{"date":"2021-10-05","event":"Spartan Protocol V2 launches on BNB Chain mainnet with four initial pools entering a 7-day initialization phase.","source":"Smart Liquidity Research","source_url":"https://smartliquidity.info/2021/10/05/spartan-protocol-v2-mainnet-launch/"},{"date":"2026-05-01","event":"SPARTA token trades at approximately $0.0002 with a market cap of roughly $15,000 and 24-hour volume below $200; protocol is technically active but has negligible market activity.","source":"CoinGecko","source_url":"https://www.coingecko.com/en/coins/spartan-protocol"}]},"v":1}