QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 260 000 USD
JULY 2021
GLOBAL
APE ROCKET
DESCRIPTION OF EVENTS

"ApeRocket [is a] DeFi revenue mining aggregator and optimizer." "ApeRocket Finance is a suite of products in Decentralized Finance (DeFi) that provides yield optimization strategies through the Binance Smart Chain, using ApeSwap liquidity. The rise of PancakeBunny which contributed grandly to the explosion of PancakeSwap as the main decentralized exchange and automated market maker in the BSC has influenced us to build ApeRocket. We envision to provide the same results for ApeSwap as we truly believe in the ecosystem."
"Through automation, ApeRocket allows apes of all kinds to reap the benefits of compounding without additional steps. ApeRocket calculates the most optimal compound frequency and automatically compounds your tokens to provide you the best yields."
"At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap." "At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon." "The two hacks were carried out in Aave and PancakeSwap and amounted to a combined $1.26 million." "ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000."
"In the first case the funds were deposited on the DAI — MATIC LP vault and in the second the CAKE vault. Due to the large amount of money deposited, the hacker held more than 99% of the funds on these two vaults. Once everything was in place, large amounts of money were sent to the vault contract (flashloan). Then functions were called from these vaults and an anomalously high number of tokens were minted in response, as these CAKE generated were far greater than the reality."
"The exploit on the BSC network occurred at 4:30 AM UTC, where the attacker hacked into ApeRocket’s CAKE vault and stole $260K (883 BNB) from SPACE token LP on ApeSwap. ApeRocket was working on creating a new version (ApeRocket V2) before the incident happened. The new version proposes more Annual Percent Yields (APYs), more compounds, and more possibilities than the V1 model."
"By sending a huge amount of CAKE to the vault and call harvest(), it increases the profit amount for everyone in the vault. While the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker."
"According to the protocol’s statement, its launch on the Polygon network was done in a hurry, so the $1 million (521 ETH) hack on 14th July at 8 AM is unsurprising."
"The deposit() function of the MiniApeV2 of ApeSwap Polygon (a fork of SushiSwap’s MiniChefV2) allows deposits to any address, which is not possible for a regular MasterChef v1 (and the smart contract code is build with the assumption of underlying MC contract to be it), makes it possible to increase the profit amount for everyone in the vault."
"The consequences of this double exploit amounted to $260K and $1M." "The price of ApeRocket's SPACE token crashed by around 63% as a result."
"The yield farming aggregator and optimizer on the BSC took to Twitter to announce the deactivation of the SPACE minter after the unfortunate event. The SPACE minter mints the protocol’s native token -- SPACE." "No further SPACE tokens will be minted in the meantime while ApeRocket sets about compensating investors for the incident."
"In the official statement, the protocol explained how the hack happened, and the compensation plans to support affected users." "[T]he protocol plans to create a new token and distribute it to all holders of pSPACE. This will act as a form of compensation."
"Regarding the BSC we were already working on a new version of ApeRocket (ApeRocket V2) prior to the attack, easier to use, more didactic, gas efficient, meaning more compounds, more APYs, and offering us more possibilities. A compensation pool will be opened, and we also plan to set up buybacks to raise the price. More information will come at the end of the week about the procedure and the exact course of all this."
"Given the current situation on Polygon, we see no other solution than to set up a new token and an allocation of this new token to all people holding pSPACE, prior to the exploit, as a locked compensation for a yet to be defined period of time. We’ll pursue an aggressive buyback strategy with the performance fees accrued in Polygon by Aperocket V2."
"ApeRocket will conduct at least two audits before its V2 launch, according to the statement."
"We know that this may not seem like enough to many of you, but we will definitely give it our best shot and will make ApeRocket great again."
"Who is looking forward to ApeRocket v2? Pending audits before lift-off."
ApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts.
There were two exploits performed, both of them exploiting the reward/incentive logic of the smart contract to mint large rewards to the attacker.
The ApeRocket team has put together some basic compensation plans, and plans to more extensively audit the smart contract in the future.
HOW COULD THIS HAVE BEEN PREVENTED?
In general it is not possible to be certain that a smart contract is completely secure, however audits help reduce the risk.
The most secure method of storage for crypto-assets is a multi-signature cold storage wallet.
SlowMist Hacked - SlowMist Zone (May 18)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Moving Forward (Aug 11)
Aperocket Finance Performance Fee Minting Incident Root Cause Analysis (Aug 11)
Aperocket Polygon Performance Fee Minting Incident Root Cause Analysis (Aug 11)
ApeRocket (Aug 17)
YieldRocket - Documentation Portal - YieldRocket (Aug 17)
@ApeRocketFi Twitter (Aug 17)
DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M 'Flash Loan' Attack - CoinDesk (Aug 17)
DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M ‘Flash Loan’ Attack (Aug 17)
ApeRocket Releases Official Statement Regarding 1.2 Million DeFi Hack (Aug 17)
@ApeRocketFi Twitter (Aug 17)
@ApeRocketFi Twitter (Aug 17)
Binance Transaction Hash (Txhash) Details | BscScan (Aug 17)
