ApeRocket Finance Incident Analysis — Improper Reward Minting

Starting from Jul 14, 2021, 04:29:27 AM UTC, ApeRocket Finance was targeted in an attack based on an issue in the reward minting process. Inspex team will cover the technical details behind the attack in this article.

Related Addresses

Attack Prerequisite

To perform this attack, the TVL of the affected pool must be very low. Due to the fact that the attacker must send $CAKE to the AutoCake contract and harvest them as the reward. If there are other users who staked their $CAKE in the pool, by performing harvest() function, the attacker’s $CAKE will be shared with the other users in the pool as well.

Unfortunately, the AutoCake contract was just deployed 10 hours before the attack. Thus, the TVL of the pool was very low.

Attack Steps

Based on the attack that happened on Binance Smart Chain, the attacker’s activity can be seen from the following transaction: https://www.bscscan.com/tx/0x701a308fba23f9b328d2cdb6c7b245f6c3063a510e0d5bc21d2477c9084f93e0

In order to carry out the successful attack, the following steps were accomplished by the attacker:

  1. Borrowed 355,600 CAKE from BiSwap’s CAKE-WBNB pool and 1,259,459 CAKE from PancakeSwap’s CAKE-BUSD pool

2. Deposited 509,143 CAKE to ApeRocket’s AutoCake vault to get the share

3. Transferred 1,105,916 CAKE to ApeRocket’s AutoCake vault as the reward

4. Harvested the reward since the share from the second step is the majority of the pool. This resulted in a huge amount of reward

5. Executed withdrawAll() which resulted in the performance fee that will be deducted from the reward and $SPACE will be minted with function mintFor() as a compensation

6. In function mintFor() that has been deployed with verification but we can take a look at their GitHub repo, the amount of $SPACE that must be minted will be calculated with the performance fee multiplied by a static variable amountSpaceToMintPerProfit which equals to “64 * 10¹⁸” led to an excessive amount of minted $SPACE compare to the actual $SPACE price

7. Swap all minted $SPACE to $WBNB for buying $CAKE back

8. Repaid a flash loan in $CAKE and swap the leftovers back to $WBNB to make a profit

Code Analysis

The attack started at the AutoCake.deposit() function. This function receives the token from the user then calculates and records the user’s share and principal, highlights on the second in the attack step

The attempt to manipulate the deposit as a reward in the third step by transferred $CAKE and harvested reward can be depicted with the _harvest() function shows below. When the _harvest() function was executed after the million $CAKE was transferred, cakeAmount was accumulated with the balance deposited, seen as a reward.

On the fifth step of the attack, the attacker executed the withdrawAll() function which utilizes the performance fee as a factor to calculate compensation with _minter.mintFor() function. The performance fee was gathered by _minter.performanceFee() taking the manipulated profit as an input.

The _minter.mintFor() function responsible for minting $SPACE was executed accordingly. The performance fee was used to find performanceFeeInBnb which was then used to determine the amount of $SPACE reward.

The amount of $SPACE will be calculated from amountSpaceToMint(), taking the result of performanceFeeInBnb multiplied by a static variable named amountToMintPerProfit which equals to “64 * 10¹⁸”. This value led to an excessive amount of minted $SPACE compares to the actual $SPACE price.

Conclusion

From this attack by using the flaw explained above, the attack was found to be executed twice, causing a total of 883 BNB in damage after repaying the flash loan.

After the attack was discovered, the fork of ApeRocket Finance running on Polygon, ApeSwap Finance, has also been reported with the same attack.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo