Ape Rocket Finance Reward Bug

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Ape Rocket

ApeRocket is a service with a series of liquidity pools available for investors. All funds are stored "hot" in smart contract, and subject to any vulnerabilities that may be present in the contracts.

There were two exploits performed, both of them exploiting the reward/incentive logic of the smart contract to mint large rewards to the attacker.

The ApeRocket team has put together some basic compensation plans, and plans to more extensively audit the smart contract in the future.

This is a global/international case not involving a specific country.

About Ape Rocket

"ApeRocket [is a] DeFi revenue mining aggregator and optimizer." "ApeRocket Finance is a suite of products in Decentralized Finance (DeFi) that provides yield optimization strategies through the Binance Smart Chain, using ApeSwap liquidity. The rise of PancakeBunny which contributed grandly to the explosion of PancakeSwap as the main decentralized exchange and automated market maker in the BSC has influenced us to build ApeRocket. We envision to provide the same results for ApeSwap as we truly believe in the ecosystem."

"Through automation, ApeRocket allows apes of all kinds to reap the benefits of compounding without additional steps. ApeRocket calculates the most optimal compound frequency and automatically compounds your tokens to provide you the best yields."

"At around 4:30 AM UTC on July 14, ApeRocket’s CAKE vault was exploited and drained $260K (883 BNB) out of the SPACE token LP on ApeSwap." "At around 8 AM UTC on July 14, ApeRocket’s MATIC-DAI vault on Polygon was exploited and drained $1M (521 ETH) out of the SPACE token LP on Polygon." "The two hacks were carried out in Aave and PancakeSwap and amounted to a combined $1.26 million." "ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000."

"In the first case the funds were deposited on the DAI — MATIC LP vault and in the second the CAKE vault. Due to the large amount of money deposited, the hacker held more than 99% of the funds on these two vaults. Once everything was in place, large amounts of money were sent to the vault contract (flashloan). Then functions were called from these vaults and an anomalously high number of tokens were minted in response, as these CAKE generated were far greater than the reality."

"The exploit on the BSC network occurred at 4:30 AM UTC, where the attacker hacked into ApeRocket’s CAKE vault and stole $260K (883 BNB) from SPACE token LP on ApeSwap. ApeRocket was working on creating a new version (ApeRocket V2) before the incident happened. The new version proposes more Annual Percent Yields (APYs), more compounds, and more possibilities than the V1 model."

"By sending a huge amount of CAKE to the vault and call harvest(), it increases the profit amount for everyone in the vault. While the hacker takes the majority share of the vault, almost all of the profit will still get returned to the hacker."

"According to the protocol’s statement, its launch on the Polygon network was done in a hurry, so the $1 million (521 ETH) hack on 14th July at 8 AM is unsurprising."

"The deposit() function of the MiniApeV2 of ApeSwap Polygon (a fork of SushiSwap’s MiniChefV2) allows deposits to any address, which is not possible for a regular MasterChef v1 (and the smart contract code is build with the assumption of underlying MC contract to be it), makes it possible to increase the profit amount for everyone in the vault."

"The consequences of this double exploit amounted to $260K and $1M." "The price of ApeRocket's SPACE token crashed by around 63% as a result."

"The yield farming aggregator and optimizer on the BSC took to Twitter to announce the deactivation of the SPACE minter after the unfortunate event. The SPACE minter mints the protocol’s native token -- SPACE." "No further SPACE tokens will be minted in the meantime while ApeRocket sets about compensating investors for the incident."

"In the official statement, the protocol explained how the hack happened, and the compensation plans to support affected users." "[T]he protocol plans to create a new token and distribute it to all holders of pSPACE. This will act as a form of compensation."

"Regarding the BSC we were already working on a new version of ApeRocket (ApeRocket V2) prior to the attack, easier to use, more didactic, gas efficient, meaning more compounds, more APYs, and offering us more possibilities. A compensation pool will be opened, and we also plan to set up buybacks to raise the price. More information will come at the end of the week about the procedure and the exact course of all this."

"Given the current situation on Polygon, we see no other solution than to set up a new token and an allocation of this new token to all people holding pSPACE, prior to the exploit, as a locked compensation for a yet to be defined period of time. We’ll pursue an aggressive buyback strategy with the performance fees accrued in Polygon by Aperocket V2."

"ApeRocket will conduct at least two audits before its V2 launch, according to the statement."

"We know that this may not seem like enough to many of you, but we will definitely give it our best shot and will make ApeRocket great again."

"Who is looking forward to ApeRocket v2? Pending audits before lift-off."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ape Rocket Finance Reward Bug
Date	Event	Description
July 13th, 2021 12:00:00 AM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $1,260,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?