BlockSec experts have discovered a vulnerability in the ParaSpace NFT landing protocol. The bug threatened to lose 2900 ETH and an unnamed amount of collection tokens BAYC.
1/ There is a flawed logic in borrow() of the ParaProxy contract (0x638a) of @ParaSpace_NFT . The attacker can borrow more tokens as his scaledBalance will be enlarged by depositing into the position of the proxy (0xC5c9), ie, specifying the _recipient of depositApeCoin(). https://t.co/Z4e1QOpLg3 pic.twitter.com/fkd96nAPHb
— BlockSec (@BlockSecTeam) March 17, 2023
Experts have found that it is enough for a potential attacker to take six steps to borrow unsecured funds.
2/ Specifically, the scaledBalance is calculated with the following formula: sharesAmount.mul(_getTotalPooledApeBalance()).div(totalShares), while _getTotalPooledApeBalance() could be manipulated.
In total, there are 6 key attack steps. pic.twitter.com/kvEpHqPNP5
— BlockSec (@BlockSecTeam) March 17, 2023
The ParaSpace team said they found suspicious activity and blocked the protocol from running.
We noticed a suspicious transaction, and as a security measure, we have paused the entire ParaSpace protocol.
Currently, no transactions (withdrawals, deposits, liquidations) can take place with our contracts.
We are currently investigating and will provide you with an update… https://t.co/3vrIciVF5C
— ParaSpace (@ParaSpace_NFT) March 17, 2023
The developers will publish the results of the investigation of the incident later.
“We can confirm that all NFTs transferred to the protocol are safe and have not been liquidated,” the team assured.
We can confirm that all NFTs supplied to the protocol are safe and have not been liquidated.
BAYC:
NFT Staking Pool: https://t.co/yg0ZalDK3n
P2P contract: https://t.co/Xvh8ndYofnMAYC:
NFT Staking Pool: https://t.co/HKjZoUr2Nc
P2P contract: https://t.co/AvAhjgOrQG… https://t.co/1nj1B9B2Nk— ParaSpace (@ParaSpace_NFT) March 17, 2023
Recall that in 2022 the Web3 industry lost about $3.6 billion as a result of hacks. This is almost 50% more than a year earlier, Beosin experts calculated.
Found a mistake in the text? Select it and press CTRL+ENTER
Cryplogger Newsletters: Keep your finger on the pulse of the bitcoin industry!
