ApeRocket (Polygon) Performance Fee Minting Incident Root Cause Analysis

The Exploit

At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon.

Check out the Transaction Details on PolygonScan.

How?

  1. Borrowed 24M DAI and 54M MATIC of flash loans from Aave.

The Root Cause

The deposit() function allows deposits to another address, which makes adding profit as easy as deposit to the contract address on the MC of ApeSwap.

The deposit() function of the MiniApeV2 of ApeSwap Polygon (a fork of SushiSwap’s MiniChefV2) allows deposits to any address, which is not possible for a regular MasterChef v1 (and the smart contract code is build with the assumption of underlying MC contract to be it), makes it possible to increase the profit amount for everyone in the vault.

With the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker.

When the minted SPACE token worth more than the 30% performance fee, it constitutes a valid economic attack.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA

Pug against Rug