White Hat Hacker Group Block Sec Thwarted A 2900 Eth Exploit This Morning
Friday morning was anything but boring at the Bored Ape Yacht Club as a hacker attempted to drain ParaSpace’s Ape staking system but was thwarted by known white hat hacker group, Block Sec.
1,455 Bored Apes and Mutant Apes were staked in ParaSpace’s protocol during an attempted hack on the system around 2 A.M. Est on Friday morning.
After an unknown hacker attempted to exploit and Paraspace’s contract three times, Block Sec submitted the same transaction as the would be hacker, but with a higher gas fees, and removed 2900 Eth or $4,973,500 USD from the protocol; thus saving the staking system!
“There is a flawed logic in borrow() of the ParaProxy contract (0x638a) of @ParaSpace_NFT, Block Sec tweeted after it saved the funds. “The attacker can borrow more tokens as his scaled Balance will be enlarged by depositing into the position of the proxy (0xC5c9), i.e., specifying the _recipient of depositApeCoin().pecifically, the scaledBalance is calculated with the following formula: sharesAmount.mul(_getTotalPooledApeBalance()).div(totalShares), while _getTotalPooledApeBalance() could be manipulated. In total, there are 6 key attack steps.”
Following the attempted hack, the Bored Ape Gazette reached out to Block Sec and asked what happens next.
“We first will work with the team to ensure that the vulnerability will be fixed. Then we will return the funds to the project,” they said.
At the time of this article’s publication, Block Sec told the Gazette that they are in contact with Paraspace and are working to fix the issue. “We are working with Paraspace to locate the root cause of the vulnerability,” they said.
The Bored Apem Gazette reached out to Paraspace but did not immediately hear back from the company. At the time of this article’s, the company tweeted that users depostied Apes and NFTs are safe and that their team has paused its entire system out of an abundance of caution as it works with Block Sec.
“We noticed a suspicious transaction, and as a security measure, we have paused the entire ParaSpace protocol,” Paraspace tweeted. “Currently, no transactions (withdrawals, deposits, liquidations) can take place with our contracts. We are currently investigating and will provide you with an update once we have more information. We can confirm that all NFTs supplied to the protocol are safe and have not been liquidated.”
The Bored Ape Gazette will continue to follow this story throughout the day. Stay tuned for updates!