ApeRocket (BSC) Performance Fee Minting Incident Root Cause Analysis

The Exploit

At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap.

Check out the Transaction Details on BscScan.

How?

  1. Borrowed 1.6M CAKE ($21.8M) of flash loan from PancakeSwap.
  2. Added 509K CAKE of deposit to the CAKE vault. Got the majority share (99.5%) of the vault.
  3. Sent 1.1M CAKE to the CAKE vault contract.
  4. Called harvest() and getReward() on the CAKE vault.
  5. With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 3), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 508K SAPCE as a reward to the hacker.
  6. Repeated one more time.
  7. Swapped the rewarded SPACE token to CAKE, repaid the flash loan. Taken out 883 BNB.

The Root Cause

The _harvest() function will reinvest all the CAKE.balanceOf(), which makes adding profit as easy as transfer CAKE to the contract address and call the public harvest() function.

By sending a huge amount of CAKE to the vault and call harvest(), it increases the profit amount for everyone in the vault. While the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker.

When the minted SPACE token worth more than the 30% performance fee, it constitutes a valid economic attack.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store