Thunderstorm comes to Para.Space

• * This article was written while waiting for a response from the ParaSpace team.
• March 17, 2023, 4:15 a.m UTC, our system first detected the attempt of hacks, after analyzing and confirming, we notify the ParaSpace Team at 5:04 a.m UTC

A big thunderstorm will hit the younger compound di-fi app: Para.space. The fund will soon be lost, which is over $5m.

An attacker deployed a contract on Ethereum mainnet and tried to attack Para.space. However, due to the gas constraint, it failed 3 times.:

The attacker address is 0x21B7A2c0F7C0C29c0Bbc55f5620Dc797c29c46B3 and the attacker contract address is 0xC1810Fb104681d0FBA5dDC454Ff7F2FD4eB19233.

Ancilia detected this FAILED attack and immediately reached out to Para.space through their Twitter. We are still waiting for the response from them to provide our technique analysis.

Vulnerability analysis

The root cause happened on the function scaledBalanceOf() on contract 0xddde38696fbe5d11497d72d8801f651642d62353 which is used to calculate user’s collateral through supply() function. However, by manipulating the Ape coin number in the function getPooledApeByShares() could make scaledBalanceOf() return a big value. Users could have a big collateral and use that to borrow more assets.

1. Hacker flashloan 47,111.35 WSTETH shares from Lido.fi
2. Create a new contract. Use this contract to supply about ~6,000 WSTETH to borrow 1.84M ParaSpace Compound APE.
3. Transfer 1.84M to the original attack contract 0xc181.
4. 0xc181 call supply with the 1.84M Compund APE to mint cAPE Derivative Token 1.84M
5. Repeat from step b to step d for 8 times until the CAPE was drained (balance 10,894.16*1e18)
6. The hacker spent 1,334 ETH to swap out 491,166 APE tokens
7. The hacker call withdraw(1.84M) to get another 1.84M APE tokens
8. The hacker now stake ~2.3 M APE tokens.
9. In ParaSpace compound protocol, it will call scaledBalanceOf() to check the user’s collateral before lending assets. However, due to the price manipulation bug the hacker borrowed way more than they could.

This article was written while waiting for a response from the project.

the message we send to ParaSpace.