ApeRocket (BSC) Performance Fee Minting Incident Root Cause Analysis

The Exploit

At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap.

How?

  1. Borrowed 1.6M CAKE ($21.8M) of flash loan from PancakeSwap.
  2. Added 509K CAKE of deposit to the CAKE vault. Got the majority share (99.5%) of the vault.
  3. Sent 1.1M CAKE to the CAKE vault contract.
  4. Called harvest() and getReward() on the CAKE vault.
  5. With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 3), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 508K SAPCE as a reward to the hacker.
  6. Repeated one more time.
  7. Swapped the rewarded SPACE token to CAKE, repaid the flash loan. Taken out 883 BNB.

The Root Cause

The _harvest() function will reinvest all the CAKE.balanceOf(), which makes adding profit as easy as transfer CAKE to the contract address and call the public harvest() function.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Pug against Rug