Ape Rocket Finance Reward Bug: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/aperocketfinancerewardbug.php}} thumb|Ape RocketApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts. There were two exploits performed, both of them exploiting the reward/incentive logic of the smart contract to mint large reward...")
 
No edit summary
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/aperocketfinancerewardbug.php}}
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/aperocketfinancerewardbug.php}}
{{Unattributed Sources}}


[[File:Aperocket.jpg|thumb|Ape Rocket]]ApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts.
[[File:Aperocket.jpg|thumb|Ape Rocket]]ApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts.
Line 8: Line 9:


This is a global/international case not involving a specific country.
This is a global/international case not involving a specific country.
<ref name="slowmisthacked-678" /><ref name="openblocksecgithub-2342" /><ref name="aperocketmedium-2585" /><ref name="watchpugmedium-2586" /><ref name="watchpugmedium-2587" /><ref name="aperocketfinance-2588" /><ref name="aperocket-2589" /><ref name="aperocketfitwitter-2590" /><ref name="coindesk-2591" /><ref name="sports-2592" /><ref name="bscdotnews-2593" /><ref name="aperocketfitwitter-2594" /><ref name="aperocketfitwitter-2595" /><ref name="bscscan-2596" />


== About Ape Rocket ==
== About Ape Rocket ==
Line 111: Line 113:


== References ==
== References ==
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17)
<references><ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref>


[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 10)
<ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref>


[https://aperocket.medium.com/moving-forward-24b9ae22c428 Moving Forward] (Aug 10)
<ref name="aperocketmedium-2585">[https://aperocket.medium.com/moving-forward-24b9ae22c428 Moving Forward] (Aug 11, 2021)</ref>


[https://watchpug.medium.com/aperocket-finance-performance-fee-minting-incident-root-cause-analysis-b959c1e963ba Aperocket Finance Performance Fee Minting Incident Root Cause Analysis] (Aug 10)
<ref name="watchpugmedium-2586">[https://watchpug.medium.com/aperocket-finance-performance-fee-minting-incident-root-cause-analysis-b959c1e963ba Aperocket Finance Performance Fee Minting Incident Root Cause Analysis] (Aug 11, 2021)</ref>


[https://watchpug.medium.com/aperocket-polygon-performance-fee-minting-incident-root-cause-analysis-ed216f422f56 Aperocket Polygon Performance Fee Minting Incident Root Cause Analysis] (Aug 10)
<ref name="watchpugmedium-2587">[https://watchpug.medium.com/aperocket-polygon-performance-fee-minting-incident-root-cause-analysis-ed216f422f56 Aperocket Polygon Performance Fee Minting Incident Root Cause Analysis] (Aug 11, 2021)</ref>


[https://aperocket.finance/ ApeRocket] (Aug 16)
<ref name="aperocketfinance-2588">[https://aperocket.finance/ ApeRocket] (Aug 17, 2021)</ref>


[https://aperocket.gitbook.io/ape-rocket/ YieldRocket - Documentation Portal - YieldRocket] (Aug 16)
<ref name="aperocket-2589">[https://aperocket.gitbook.io/ape-rocket/ YieldRocket - Documentation Portal - YieldRocket] (Aug 17, 2021)</ref>


[https://twitter.com/ApeRocketFi/status/1425845045291323401 @ApeRocketFi Twitter] (Aug 16)
<ref name="aperocketfitwitter-2590">[https://twitter.com/ApeRocketFi/status/1425845045291323401 @ApeRocketFi Twitter] (Aug 17, 2021)</ref>


[https://www.coindesk.com/defi-yield-farming-aggregator-aperocket-suffers-1-26m-flash-loan-attack DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M 'Flash Loan' Attack - CoinDesk] (Aug 16)
<ref name="coindesk-2591">[https://www.coindesk.com/defi-yield-farming-aggregator-aperocket-suffers-1-26m-flash-loan-attack DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M 'Flash Loan' Attack - CoinDesk] (Aug 17, 2021)</ref>


[https://ca.sports.yahoo.com/news/defi-yield-farming-aggregator-aperocket-153230316.html DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M ‘Flash Loan’ Attack] (Aug 16)
<ref name="sports-2592">[https://ca.sports.yahoo.com/news/defi-yield-farming-aggregator-aperocket-153230316.html DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M ‘Flash Loan’ Attack] (Aug 17, 2021)</ref>


[https://www.bsc.news/post/aperocket-releases-official-statement-regarding-1-2-million-decentralized-finance-defi-hack ApeRocket Releases Official Statement Regarding 1.2 Million DeFi Hack] (Aug 16)
<ref name="bscdotnews-2593">[https://www.bsc.news/post/aperocket-releases-official-statement-regarding-1-2-million-decentralized-finance-defi-hack ApeRocket Releases Official Statement Regarding 1.2 Million DeFi Hack] (Aug 17, 2021)</ref>


[https://twitter.com/ApeRocketFi/status/1415318033409642500 @ApeRocketFi Twitter] (Aug 16)
<ref name="aperocketfitwitter-2594">[https://twitter.com/ApeRocketFi/status/1415318033409642500 @ApeRocketFi Twitter] (Aug 17, 2021)</ref>


[https://twitter.com/ApeRocketFi/status/1415453250988527622 @ApeRocketFi Twitter] (Aug 16)
<ref name="aperocketfitwitter-2595">[https://twitter.com/ApeRocketFi/status/1415453250988527622 @ApeRocketFi Twitter] (Aug 17, 2021)</ref>


[https://bscscan.com/tx/0x701a308fba23f9b328d2cdb6c7b245f6c3063a510e0d5bc21d2477c9084f93e0 Binance Transaction Hash (Txhash) Details | BscScan] (Aug 16)
<ref name="bscscan-2596">[https://bscscan.com/tx/0x701a308fba23f9b328d2cdb6c7b245f6c3063a510e0d5bc21d2477c9084f93e0 Binance Transaction Hash (Txhash) Details | BscScan] (Aug 17, 2021)</ref></references>

Revision as of 21:52, 22 February 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ape Rocket

ApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts.

There were two exploits performed, both of them exploiting the reward/incentive logic of the smart contract to mint large rewards to the attacker.

The ApeRocket team has put together some basic compensation plans, and plans to more extensively audit the smart contract in the future.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About Ape Rocket

"ApeRocket [is a] DeFi revenue mining aggregator and optimizer." "ApeRocket Finance is a suite of products in Decentralized Finance (DeFi) that provides yield optimization strategies through the Binance Smart Chain, using ApeSwap liquidity. The rise of PancakeBunny which contributed grandly to the explosion of PancakeSwap as the main decentralized exchange and automated market maker in the BSC has influenced us to build ApeRocket. We envision to provide the same results for ApeSwap as we truly believe in the ecosystem."

"Through automation, ApeRocket allows apes of all kinds to reap the benefits of compounding without additional steps. ApeRocket calculates the most optimal compound frequency and automatically compounds your tokens to provide you the best yields."

"At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap." "At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon." "The two hacks were carried out in Aave and PancakeSwap and amounted to a combined $1.26 million." "ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000."

"In the first case the funds were deposited on the DAI — MATIC LP vault and in the second the CAKE vault. Due to the large amount of money deposited, the hacker held more than 99% of the funds on these two vaults. Once everything was in place, large amounts of money were sent to the vault contract (flashloan). Then functions were called from these vaults and an anomalously high number of tokens were minted in response, as these CAKE generated were far greater than the reality."

"The exploit on the BSC network occurred at 4:30 AM UTC, where the attacker hacked into ApeRocket’s CAKE vault and stole $260K (883 BNB) from SPACE token LP on ApeSwap. ApeRocket was working on creating a new version (ApeRocket V2) before the incident happened. The new version proposes more Annual Percent Yields (APYs), more compounds, and more possibilities than the V1 model."

"By sending a huge amount of CAKE to the vault and call harvest(), it increases the profit amount for everyone in the vault. While the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker."

"According to the protocol’s statement, its launch on the Polygon network was done in a hurry, so the $1 million (521 ETH) hack on 14th July at 8 AM is unsurprising."

"The deposit() function of the MiniApeV2 of ApeSwap Polygon (a fork of SushiSwap’s MiniChefV2) allows deposits to any address, which is not possible for a regular MasterChef v1 (and the smart contract code is build with the assumption of underlying MC contract to be it), makes it possible to increase the profit amount for everyone in the vault."

"The consequences of this double exploit amounted to $260K and $1M." "The price of ApeRocket's SPACE token crashed by around 63% as a result."

"The yield farming aggregator and optimizer on the BSC took to Twitter to announce the deactivation of the SPACE minter after the unfortunate event. The SPACE minter mints the protocol’s native token -- SPACE." "No further SPACE tokens will be minted in the meantime while ApeRocket sets about compensating investors for the incident."

"In the official statement, the protocol explained how the hack happened, and the compensation plans to support affected users." "[T]he protocol plans to create a new token and distribute it to all holders of pSPACE. This will act as a form of compensation."

"Regarding the BSC we were already working on a new version of ApeRocket (ApeRocket V2) prior to the attack, easier to use, more didactic, gas efficient, meaning more compounds, more APYs, and offering us more possibilities. A compensation pool will be opened, and we also plan to set up buybacks to raise the price. More information will come at the end of the week about the procedure and the exact course of all this."

"Given the current situation on Polygon, we see no other solution than to set up a new token and an allocation of this new token to all people holding pSPACE, prior to the exploit, as a locked compensation for a yet to be defined period of time. We’ll pursue an aggressive buyback strategy with the performance fees accrued in Polygon by Aperocket V2."

"ApeRocket will conduct at least two audits before its V2 launch, according to the statement."

"We know that this may not seem like enough to many of you, but we will definitely give it our best shot and will make ApeRocket great again."

"Who is looking forward to ApeRocket v2? Pending audits before lift-off."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ape Rocket Finance Reward Bug
Date Event Description
July 13th, 2021 12:00:00 AM Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $1,260,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

In general it is not possible to be certain that a smart contract is completely secure, however audits help reduce the risk.

The most secure method of storage for crypto-assets is a multi-signature cold storage wallet.

References

  1. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  2. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  3. Moving Forward (Aug 11, 2021)
  4. Aperocket Finance Performance Fee Minting Incident Root Cause Analysis (Aug 11, 2021)
  5. Aperocket Polygon Performance Fee Minting Incident Root Cause Analysis (Aug 11, 2021)
  6. ApeRocket (Aug 17, 2021)
  7. YieldRocket - Documentation Portal - YieldRocket (Aug 17, 2021)
  8. @ApeRocketFi Twitter (Aug 17, 2021)
  9. DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M 'Flash Loan' Attack - CoinDesk (Aug 17, 2021)
  10. DeFi Yield Farming Aggregator ApeRocket Suffers $1.26M ‘Flash Loan’ Attack (Aug 17, 2021)
  11. ApeRocket Releases Official Statement Regarding 1.2 Million DeFi Hack (Aug 17, 2021)
  12. @ApeRocketFi Twitter (Aug 17, 2021)
  13. @ApeRocketFi Twitter (Aug 17, 2021)
  14. Binance Transaction Hash (Txhash) Details | BscScan (Aug 17, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ape_Rocket_Finance_Reward_Bug&oldid=2624"