“Lightning Loan Attack” Reappearance of ApeRocket Finance Hacked Event Brief Analysis

Project parties in the DeFi ecosystem need to pay special attention to threats from “flash loan attacks” and actively cooperate with third-party security companies to build a complete and professional security protection mechanism.

1. Event overview

On July 14th, Beijing time, the public opinion monitoring of Beosin-Eagle Eye (Beosin-Eagle Eye) showed that ApeRocket Finance, a BSC ecological DeFi income farming aggregator, suffered a “lightning loan attack.” According to related news, in this attack, the attacker targeted ApeRocket’s SPACE-BNB pool under Apeswap, and its project token SPACE has fallen by more than 75%.

The Chengdu Lian’an security team has recently disclosed multiple BSC ecological “lightning loan” attacks. In the ApeRocket Finance hacking incident, the attackers still used the “lightning loan” attack principle to “change the soup without changing the medicine”. Manipulate the “pledge income” and “reward mechanism” of the project contract to make profits. It is worth noting that ApeRocket Finance is the first relatively typical security attack this month. We hereby remind all project parties to do a good job in daily security audits and security protection.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

2. Event analysis

Attack process analysis

1. The attacker first used “Flash Loan” and borrowed 1,259,459+355,600 cakes.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

2. Subsequently, 509,143 of the cakes are mortgaged to AutoCake (equivalent to Aperocket’s strategic contract).

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

3. The attacker directly entered the remaining 1,105,916 cakes into the AutoCake contract.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

4. Then the attacker then invokes harvest in AutoCake to trigger a reinvestment, and enters the cake of Autocake in step 3 for investment.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

5. After completing the above attack steps, the attacker calls getReward in AutoCake to settle the mortgage profit in step 2, and then triggers the reward mechanism to mint a large number of SPACE Tokens for profit.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

6. Return the “Flash Loan” and leave after completing the entire attack.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

Attack principle analysis

In this attack, the attacker first pledged a large number of Cakes in AutoCake, which made his shareholding ratio very high, so that he could share almost all of the pledge income in AutoCake.

In step 3, the attacker directly injects a large amount of cake into the AutoCake contract. This part of the cake is not entered into the AutoCake contract by mortgage; according to the logic of the contract, it will be regarded as a “reward” (mortgage cake, reward Also cake).

Once and again, most of the cake directly into AutoCake will eventually be settled to the attacker.

But on the other hand, when the getReward operation is performed, the function will mint SPACE Token according to the amount of reward obtained by pledge and issue it to the user as another reward. Under normal circumstances, the pledge reward is small, so the SPACE Token minted will be very small; however, due to the above operations of the attacker, a large number of SPACE Tokens have been minted.

Coin World-"Lightning Loan Attack" Reappears A Brief Analysis of ApeRocket Finance's Hacked Event

3. Event review

It is not difficult to see that this is a typical attack event that uses “lightning loans” to complete profit. The key point is the logical “reward mechanism” of the AutoCake contract itself, which ultimately led the attacker to cast a large number of SPACE Tokens to complete the profit. . At the same time, this is also the first typical “flash loan” attack this month, which deserves attention.

The Chengdu Lian’an security team suggested that as “lightning loans” become more and more popular in the DeFi ecosystem, attackers lurking in the dark are also ready to use “lightning loans” to launch attacks. Therefore, the project parties of the DeFi ecosystem still need to pay special attention to the threat from the “flash loan attack”, and actively cooperate with third-party security companies to build a complete and professional security protection mechanism.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/lightning-loan-attack-reappearance-of-aperocket-finance-hacked-event-brief-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-07-14 10:20
Next 2021-07-14 10:22

Related articles