Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 031Flash Loan Attack

Spartan Protocol LP-Share Drain

Spartan Protocol lost $30M on BSC via a flawed liquidity-share calculation, the first major flash-loan attack on BSC and a turning point for its DeFi sector.

Date
Victim
Spartan Protocol
Chain(s)
BNB Chain
Status
Funds Stolen

On May 2, 2021 at roughly 16:00 UTC, Spartan Protocol — an early BSC AMM — was drained for approximately $30 million in what was widely reported as the first major flash-loan attack on Binance Smart Chain. The exploit landed during the protocol's planned upgrade to V2, and the timing was not a coincidence.

What happened

Spartan's pools calculated each user's LP share based on the current token balances inside the pool, read directly from the pool contract at the moment of withdrawal. The calculation was vulnerable to manipulation by anyone who could temporarily inflate the pool's balance in the same transaction they redeemed.

The attack:

  1. Flash-borrowed 100,000 wBNB on PancakeSwap.
  2. Swapped a portion through Spartan's pool to push the price of SPARTA hard against wBNB.
  3. Burned the LP tokens they held, redeeming a share calculated against the manipulated current balance — which credited them with far more underlying value than their share legitimately represented.
  4. Repeated the cycle until the pool was effectively empty.
  5. Repaid the flash loan (100,260 wBNB after fee) and walked with ~$30M in BNB, BTCB and BETH.

Stolen funds were laundered through 1inch, anyswap and Nerve Finance into the Anyswap-bridged versions of major assets.

Aftermath

  • Spartan paused operations and shipped a V2 redesign with corrected LP-share math.
  • The protocol never fully recovered its pre-incident standing in BSC DeFi.
  • The incident was widely seen as a wake-up call for BSC's DeFi sector, which had been growing explosively in 2021 with less rigour around economic-invariant testing than Ethereum-side protocols.

Why it matters

Spartan is the first canonical flash-loan attack on BSC, in the same role that bZx played on Ethereum a year earlier. The structural lesson is identical — never read user-impact economic quantities directly from a manipulable pool balance — but the fact that BSC needed to learn it independently, with its own $30M loss, foreshadowed the broader pattern: every new L1 and L2 reinvents the same DeFi mistakes its predecessors made, on its own timeline, with its own millions of dollars in tuition.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-spartan-protocol-hack-may-2021
  2. [02]beincrypto.comhttps://beincrypto.com/spartan-defi-suffers-30m-loss-bsc-flash-loan-attack/
  3. [03]medium.comhttps://medium.com/amber-group/exploiting-spartan-protocols-lp-share-calculation-flaws-391437855e74

Related filings