ApeRocket (Polygon) Performance Fee Minting Incident Root Cause Analysis

The Exploit

At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon.

How?

  1. Borrowed 24M DAI and 54M MATIC of flash loans from Aave.
  2. Created 25M DAIMATIC LP.
  3. Deposited 10M LP to the DAI-MATIC LP vault. Got the majority share (99%) of the vault.
  4. Deposited 15M LP from the MiniApeV2 contract of ApeSwap to the DAI-MATIC LP vault of ApeRocket (see detailed analysis below).
  5. Called withdrawAll() on the vault.
  6. With the rather large amount of LP token added (deposited from ApeSwap’s MC) by the hacker at step 3, it returned a large amount of profit. As a result, the system minted 2.5M pSAPCE as a reward to the hacker.
  7. Swapped the rewarded pSPACE token to ETH, repaid the flash loan. Taken out 521 ETH (in 2 transactions).

The Root Cause

The deposit() function allows deposits to another address, which makes adding profit as easy as deposit to the contract address on the MC of ApeSwap.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Pug against Rug