On July 14, Aperocket, the revenue aggregator deployed on the BSC and Polygon chains, was attacked by lightning loans in less than 12 hours.
According to the tracking and location analysis of PeckShield, although the attacking methods used by the attackers were different twice, they all originated from the revenue inflation loopholes in Aperocket.
After the Aperocket on the BSC chain was attacked, the price of its token SPACE dropped by 75% for a short time.
Aperocket is the revenue aggregator of PancakeBunny, which was previously hit by a flash loan attack on “Fork” and triggered a series of flash loan attacks on Domino.
Users can obtain automatic compound income by staking tokens such as ApeSwap’s LP Token, CAKE or SPACE.
In this security incident, the attacker pledged CAKE, obtained CAKE rewards and SPACE token rewards (Aperocket’s additional rewards), and profited by exploiting the loopholes in AutoCake:withdrawAll().
PeckShield briefly describes the attack process on the BSC chain:
First, the attacker lent two flash loans from PancakeSwap, totaling 1.615 million CAKE;
Then deposit 509,000 CAKE into the fund pool. This step helps the attacker to call the WithdrawAll() or earned() function in the AutoCake contract later, the fund pool will mint SPACE tokens;
Since the attacker pledged a large amount of CAKE to the fund pool for the first time, this quickly increased its share of the fund pool, allowing it to share more than 90% of the AutoCake pledge income, namely CAKE and SPACE;
After completing the preliminary work and depositing CAKE into the fund pool, the attacker performed the second transaction, pledged 1.105 million CAKE into the AutoCake contract, and called the harvest function in the AutoCake contract to trigger the reinvestment, which is equivalent to the set of CAKE compound interest pool. Baby version, pledge CAKE, you can mine CAKE, and the contract automatically pledges the obtained CAKE to the CAKE fund pool.
As the CAKE included in the contract continues to grow, the SPACE forged will grow accordingly.
In the end, the attacker returned the flash loan and made a profit of 883.5 BNB (US$273,000 in contract). According to statistics from PeckShield, the attacker made a profit of approximately US$1 million on Polygon.
Since the first quarter of 2021, the DeFi market has shown a trend of multi-chain ecology. The entire market has continued the momentum of strong growth in the second half of 2020, and most indicators have reached record highs.
However, with the correction of the virtual currency market late in the second quarter, the DeFi field has also been more or less affected. While each public chain is competing for liquidity, the existing DeFi protocol is also exploring and adapting to the emerging mode of operation—multi-chain layout.
A considerable rate of return helps attract liquidity, but at the same time, the multi-chain layout also puts forward higher requirements on the security of the protocol and the speed of security response. When a security incident occurs, it is not only necessary to investigate the vulnerabilities that have been attacked for the first time, and to propose a security plan, but also to detect potential vulnerabilities on one chain as soon as possible to detect the protocol on another or more chains. Whether there are similar problems, and promptly warn the community to propose security solutions to avoid exposure of associated valuable assets to risks, which will help reduce the known and possible greater losses.
After the offensive and defensive battles with attackers in the first half of this year, PeckShield “distributed shields” discovered that it established a risk control fuse mechanism and introduced situational awareness and intelligence services from third-party security companies to respond to security risks as soon as possible, and promptly investigate and block security attacks. , Which can effectively reduce the losses caused by lightning loan attacks.
With the rise of multi-chain deployment, when dealing with security incidents, protocol participants and professional security teams are required to be more calm and calm than the attackers. This is a battle for time. The attackers will not stop and allow us to reflect. Only one step ahead of the attacker, even a small step, may become a big step for us to achieve a phased victory in this battle.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/the-difficulty-and-breaking-of-the-revenue-aggregator-aperocket-multi-chain-lightning-loan-attack/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.