To All Community Members of Spectral:

Following is a detailed breakdown of the vulnerability exploit that targeted the bonding contract on Syntax on December 1st, 2024. We’re writing this post to provide further updates on our investigation and remediation plan following the initial communication we issued in this regard.

https://x.com/Spectral_Labs/status/1863212410070253824

What Happened

Spectral Syntax V2 was launched publicly on Nov 27, 2024 9:32 PM +UTC . In our codebase, the central contract is the AutonomousAgentDeployer.sol, deployed at address 0xd84b6caccfcc9fa5f48c6277c40fac0620f1d0c2. This contract is responsible for:

• Swapping between SPEC and AgentToken.sols.
• Holding funds for pools that haven't yet reached the Uniswap Pool phase

In our system, AgentToken.sols have a built-in tax mechanism. Whenever an AgentToken.sol transferred to a smart contract, a tax is applied. Half of that tax is sent to the AgentBalances.sol contract. This tax function had an unforeseen vulnerability.

The Vulnerability

The exploit centers around an unintended infinite approval in the AgentToken.sol contract between the AgentBalances.sol and AutonomousAgentDeployer.sol. Specifically, during the transferFrom , the following sequence occurs:

1. TransferFrom Initiation: The AutonomousAgentDeployer.sol calls transferFrom on the AgentToken.sol contract to transfer tokens from the user to the AgentBalances.sol contract.

2. Tax Trigger: Transferring AgentToken.sols to a contract triggers the transfer tax.

3. Approval Oversight: Inside the transfer logic, an unintended line of code (line 90) was left in:

   approve(address(agentBalances), type(uint256).max);
   

   

This approval unintentionally gave AgentBalances.sol unlimited access to spend AgentToken.sol from the AutonomousAgentDeployer.sol. Our version of the deposit function was generic to allow agent creators the option to send funds to their agent’s trading wallet and support its operations, however, the infinite approval was an oversight in this implementation, enabling anyone to send tokens (used to calculate the price of an AgentToken in our internal pools) into AgentBalances.sol.

The Exploit

An attacker exploited this vulnerability through the following steps:

1. Preparation
   • Flash Loan: The attacker took out a flash loan to obtain SPEC.
   • Initial Swap: They swapped SPEC for an AgentToken.sol in the AutonomousAgentDeployer.sol contract through swapExactSPECForTokens.