1. Event overview
On July 14th, Beijing time, the public opinion monitoring of Lianbian-Blockchain Security Situational Awareness Platform (Beosin-Eagle Eye) showed that ApeRocket Finance, a BSC ecological DeFi revenue farming aggregator, encountered a "flash loan attack". According to relevant sources, in this attack, the attacker targeted the SPACE-BNB pool of ApeRocket’s Apeswap, and its project token SPACE has fallen by more than 75%.
Chengdu Lianan Security Team has recently disclosed a number of BSC ecological "flash loan" attack incidents. In the ApeRocket Finance hacking incident, the attackers still used the "flash loan" attack principle, "changing the soup without changing the medicine", through Manipulate the "staking income" and "reward mechanism" of the project contract to make profits. It is worth noting that ApeRocket Finance is the first relatively typical security attack incident this month, and all project parties are reminded to do a good job in daily security audit and security protection.
2. Event analysis
Ø Attack process analysis
1. The attacker first took advantage of the "Flash Loan" and borrowed 1,259,459+355,600 cakes.
2. Subsequently, 509,143 of the cakes are mortgaged to AutoCake (equivalent to Aperocket's strategy contract).
3. The attacker puts the remaining 1,105,916 cakes directly into the AutoCake contract.
4. Then the attacker calls the harvest in AutoCake to trigger reinvestment, and invests in the cake that was put into Autocake in step 3.
5. After completing the above attack steps, the attacker calls getReward in AutoCake to settle the mortgage profit in step 2, and then triggers the reward mechanism to mint a large amount of SPACE Token for profit.
6. Return the "Flash Loan" and leave after completing the entire attack.
Ø Attack principle analysis
l In this attack, the attacker first mortgaged a large amount of Cake in AutoCake, which made his shareholding ratio very high, so that he could share almost all of the pledge income in AutoCake.
l In step 3, the attacker directly injects a large amount of cake into the AutoCake contract, because this part of the cake is not mortgaged into the AutoCake contract; according to the logic of the contract itself, it will be regarded as a "reward" (mortgage cake, The reward is also cake).
l Back and forth, most of the cake directly entered into AutoCake will eventually be settled to the attacker.
l But on the other hand, when performing the getReward operation, the function will mint SPACE Tokens and issue them to users as additional rewards according to the amount of rewards obtained by staking. Under normal circumstances, there are less staking rewards, so there will be very few SPACE Tokens minted; however, due to the above-mentioned operations of the attacker, a large number of SPACE Tokens were minted.
3. Event review
It is not difficult to see that this is a typical attack using "flash loans" to complete profits. The key point is the "reward mechanism" of the AutoCake contract's own logic, which eventually led to the attackers minting a large number of SPACE Tokens to complete the profit . At the same time, this is also the first typical "flash loan" attack this month, which deserves attention.
The Chengdu Lianan Security Team suggested that as "flash loans" become more and more popular in the DeFi ecosystem, attackers lurking in the dark are also ready to use "flash loans" to launch attacks at any time. Therefore, all project parties in the DeFi ecosystem still need to pay special attention to the threat from "flash loan attacks", and actively cooperate with third-party security companies to build a complete and professional security protection mechanism.
