ApeRocket Finance Incident Analysis — Improper Reward Minting
Starting from Jul 14, 2021, 04:29:27 AM UTC, ApeRocket Finance was targeted in an attack based on an issue in the reward minting process. Inspex team will cover the technical details behind the attack in this article.
- Attacker wallet: https://www.bscscan.com/address/0x53d07afa123702469ab6cf286e9ff7033a7eff65
- Attacker’s Contract: https://www.bscscan.com/address/0x3523b46a2ccd8b43b2141ab0ccc38f7b013b771c
- AutoCake contract: https://www.bscscan.com/address/0x274b5b7868c848ac690dc9b4011e9e7e29133700
- SpaceMinter contract: https://www.bscscan.com/address/0xd79dc49ed716832658ec28fe93dd733e0dfb8d58
To perform this attack, the TVL of the affected pool must be very low. Due to the fact that the attacker must send $CAKE to the AutoCake contract and harvest them as the reward. If there are other users who staked their $CAKE in the pool, by performing
harvest() function, the attacker’s $CAKE will be shared with the other users in the pool as well.
Unfortunately, the AutoCake contract was just deployed 10 hours before the attack. Thus, the TVL of the pool was very low.
Based on the attack that happened on Binance Smart Chain, the attacker’s activity can be seen from the following transaction: https://www.bscscan.com/tx/0x701a308fba23f9b328d2cdb6c7b245f6c3063a510e0d5bc21d2477c9084f93e0
In order to carry out the successful attack, the following steps were accomplished by the attacker:
- Borrowed 355,600 CAKE from BiSwap’s CAKE-WBNB pool and 1,259,459 CAKE from PancakeSwap’s CAKE-BUSD pool
2. Deposited 509,143 CAKE to ApeRocket’s AutoCake vault to get the share
3. Transferred 1,105,916 CAKE to ApeRocket’s AutoCake vault as the reward
4. Harvested the reward since the share from the second step is the majority of the pool. This resulted in a huge amount of reward
withdrawAll() which resulted in the performance fee that will be deducted from the reward and $SPACE will be minted with function
mintFor() as a compensation
6. In function
mintFor() that has been deployed with verification but we can take a look at their GitHub repo, the amount of $SPACE that must be minted will be calculated with the performance fee multiplied by a static variable
amountSpaceToMintPerProfit which equals to “64 * 10¹⁸” led to an excessive amount of minted $SPACE compare to the actual $SPACE price
7. Swap all minted $SPACE to $WBNB for buying $CAKE back
8. Repaid a flash loan in $CAKE and swap the leftovers back to $WBNB to make a profit
The attack started at the
AutoCake.deposit() function. This function receives the token from the user then calculates and records the user’s share and principal, highlights on the second in the attack step
The attempt to manipulate the deposit as a reward in the third step by transferred $CAKE and harvested reward can be depicted with the
_harvest() function shows below. When the
_harvest() function was executed after the million $CAKE was transferred,
cakeAmount was accumulated with the balance deposited, seen as a reward.
On the fifth step of the attack, the attacker executed the
withdrawAll() function which utilizes the performance fee as a factor to calculate compensation with
_minter.mintFor() function. The performance fee was gathered by
_minter.performanceFee() taking the manipulated
profit as an input.
_minter.mintFor() function responsible for minting $SPACE was executed accordingly. The performance fee was used to find
performanceFeeInBnb which was then used to determine the amount of $SPACE reward.
The amount of $SPACE will be calculated from
amountSpaceToMint(), taking the result of
performanceFeeInBnb multiplied by a static variable named
amountToMintPerProfit which equals to “64 * 10¹⁸”. This value led to an excessive amount of minted $SPACE compares to the actual $SPACE price.
From this attack by using the flaw explained above, the attack was found to be executed twice, causing a total of 883 BNB in damage after repaying the flash loan.
After the attack was discovered, the fork of ApeRocket Finance running on Polygon, ApeSwap Finance, has also been reported with the same attack.
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.