ApeRocket (Polygon) Performance Fee Minting Incident Root Cause Analysis

The Exploit

At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon.

Check out the Transaction Details on PolygonScan.

How?

1. Borrowed 24M DAI and 54M MATIC of flash loans from Aave.
2. Created 25M DAIMATIC LP.
3. Deposited 10M LP to the DAI-MATIC LP vault. Got the majority share (99%) of the vault.
4. Deposited 15M LP from the MiniApeV2 contract of ApeSwap to the DAI-MATIC LP vault of ApeRocket (see detailed analysis below).
5. Called withdrawAll() on the vault.
6. With the rather large amount of LP token added (deposited from ApeSwap’s MC) by the hacker at step 3, it returned a large amount of profit. As a result, the system minted 2.5M pSAPCE as a reward to the hacker.
7. Swapped the rewarded pSPACE token to ETH, repaid the flash loan. Taken out 521 ETH (in 2 transactions).

The Root Cause

The deposit() function allows deposits to another address, which makes adding profit as easy as deposit to the contract address on the MC of ApeSwap.

The deposit() function of the MiniApeV2 of ApeSwap Polygon (a fork of SushiSwap’s MiniChefV2) allows deposits to any address, which is not possible for a regular MasterChef v1 (and the smart contract code is build with the assumption of underlying MC contract to be it), makes it possible to increase the profit amount for everyone in the vault.

With the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker.

When the minted SPACE token worth more than the 30% performance fee, it constitutes a valid economic attack.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA