ParaSpace Says That Users' NFTs Are Safe After A Hacker Attempted To Drain Its Ape Staking Protocol
After a hacker attempted to drain ParaSpaces’ Ape Staking system Friday morning, the protocol announced that users’ NFTs are safe and that they are working with the white hat hacker group that thwarted the attack!
“We have spent the last several hours identifying the root cause and confirming the financial impact of the exploit to the protocol and users,” ParaSpace told the Gazette. “We are glad to report that user funds and assets in the platform are safe and that the financial impact of the exploit was minimal.”
In total ParaSpace said that the protocol’s losses were between 50-150 Eth “due to slippage from the exploiter swapping between tokens during the exploit.” The company said that it will be reimbursing these funds back to the protocol in a Twitter post this morning.
This 50-150 Eth loss is small in comparison to the 2,909 Eth or $4.9 million USD that the white hat hacker group, Block Sec, rescued from the would be thief this morning.
As the Bored Ape Gazette previously reported, after an unknown hacker attempted to exploit and Paraspace’s contract three times, Block Sec submitted the same transaction as the would be hacker, but with a higher gas fees, and removed 2900 Eth or $4,973,500 USD from the protocol; thus saving the staking system!
“There is a flawed logic in borrow() of the ParaProxy contract (0x638a) of @ParaSpace_NFT, Block Sec tweeted after it saved the funds. “The attacker can borrow more tokens as his scaled Balance will be enlarged by depositing into the position of the proxy (0xC5c9), i.e., specifying the _recipient of depositApeCoin().pecifically, the scaledBalance is calculated with the following formula: sharesAmount.mul(_getTotalPooledApeBalance()).div(totalShares), while _getTotalPooledApeBalance() could be manipulated. In total, there are 6 key attack steps.”
ParaSpace told the Gazette that the protocol will be releasing a postmortem report on this attack along with security enhancements the protocol plans to take going forward.
At the time of this article’s publication, ParaSpaces’ protocol is still paused out of an abundance of caution.
“Our team is currently patching the vulnerabilities identified and we will keep the protocol paused during this time,” ParaSpace tweeted. “We will resume protocol functionality once we have re-audited our platform with Secure3 and we are in active conversations with additional auditors and security experts including @BlockSecTeam, @0xQuit, @SlowMist_Team , and @CertiK. We will provide a timeline on when we can resume the protocol on mainnet ASAP.”
The Bored Ape Gazette will continue to follow this story throughout the day. Stay tuned for updates!