Decoding Spectra Lab’s Bonding Contract $250K Exploit
Overview
On December 1, 2024, Spectral’s Syntax V2 bonding contract was exploited due to an infinite approval vulnerability in the AgentToken.sol
contract. The attacker leveraged a flash loan to manipulate token approvals, enabling the transfer of almost all AgentToken.sol
funds from the bonding contract, disrupting the bonding curve calculations.
By artificially reducing token balances, the attacker caused the curve to misprice tokens, allowing them to extract a disproportionately large amount of SPEC tokens from the liquidity pool. A total of 14,793 SPEC tokens, worth approximately $250,000, were drained in the attack.
About Project
Spectral is at the forefront of a decentralized revolution, envisioning a future where onchain agents are not just a luxury for the tech-savvy but an accessible tool for everyone. Their’s mission is to transform the way individuals interact with the crypto ecosystem by establishing the Onchain Agent Economy — a pioneering framework that empowers users to create, own, and govern autonomous agents capable of executing sophisticated strategies round the clock.
Exploit Details
Vulnerable Contract: 0xD84B6CAccFCc9FA5F48c6277C40FaC0620f1d0c2
Attacker Address : 0x000000000000E921f69f1df9E0540ccdD4847A0D
Attacker Contract Address : 0x637A5Cdd63Eae6A673bE0fFbFBaf9830F905044c
Attack Transaction: 0xa3535c70c
Attack Process
The attacker borrowed SPEC tokens through a flash loan to have sufficient initial liquidity for the exploit.
The attacker swapped the borrowed SPEC tokens for AgentToken.sol
tokens in the AutonomousAgentDeployer.sol
contract using the swapExactSPECForTokens
function.
The attacker swapped the AgentToken.sol back for SPEC in the AutonomousAgentDeployer.sol contract through swapExactTokensForSPEC .
The AutonomousAgentDeployer.sol calls safeTransferFrom to transfer tokens from the user to it.
Since AgentToken.sol
is being transferred back to the AgentBalances.sol
contract, the transfer tax is applied since it is an contract.
Inside the tax calculation code, a faulty line granted infinite approval of AgentToken.sol
for the AgentBalances.sol
contract. (See at line 90)
To exploit this, the attacker called the deposit function on the AgentBalances.sol contract.
This function allowed them to transfer nearly all available AgentToken.sol
balances from AutonomousAgentDeployer.sol
to AgentBalances.sol
. This leads to the manipulation of bonding curve.
The bonding curve, using an XYK (constant product) formula, miscalculated the value of AgentToken.sol
, making it appear much more valuable than it actually was.
The attacker used the inflated price of AgentToken.sol
to swap a small amount of it back for an outsized amount of SPEC tokens in the liquidity pool.
By repeating the above process, the attacker drained approximately 14,793 SPEC tokens from the bonding curve, worth around $250,000 at the time.
The Root Cause
The root cause of the exploit was an unintended infinite approval in the AgentToken.sol
contract during tax calculation. This approval granted the AgentBalances.sol
contract unrestricted access to spend AgentToken.sol
from the AutonomousAgentDeployer.sol
contract.
The attacker exploited this oversight to manipulate token balances, causing the bonding curve to misprice tokens and allowing them to drain liquidity.
Flow of Funds
See the funds flow here:
Post Exploit Scenes:
The team responded to the exploit quickly through their twitter(x) account.
How could they have prevented the Exploit?
- Avoid Unnecessary Infinite Approvals: The approval logic in the tax mechanism should have been avoided entirely unless explicitly necessary.
- The
deposit()
function onAgentBalances.sol
should have been restricted to trusted entities or removed entirely from public access, ensuring only authorized users or contracts could call it. - Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.