Project name: ParaSpace
Project type: Lending
Date of exploit: March 17, 2023
Asset loss: Around 50~150 ETH (2909 ETH Rescued)
Vulnerability: Price Manipulation
Date of audit report publishing:
- Oct 25, 2022: ParaSpace (Audit 3)
- Dec 23, 2022: ParaSpace - NFT Money Market
Conclusion: Out of Audit Scope
Details of the Exploit
Background
ParaSpace provides a lending protocol where users can deposit collateral and borrow tokens. On March 17, 2023, ParaSpace was exploited by a price manipulation attack where the attacker can manipulate the collateral size to borrow extra tokens.
Nature of the Vulnerability
The size of collateralized assets is calculated by the scaledBalanceof function, which will use the getPooledApeByShares function. And the getPooledApeByShares is calculated with sharesAmount.mul(_getTotalPooledApeBalance()).div(totalShares). The vulnerability lies in the AutoCompoundApe._getTotalPooledApeBalance function, which calculates the collateral size of cApe collateral based on the staked amount in the ApeCoinStaking contract. The attacker can utilize the ApeCoinStaking.depositApeCoin function to increase the staked amount a lot.
CertiK Audit Overview
Conclusion
On March 17, 2023, a vulnerability located in the AutoCompoundApe contract of the ParaSpace protocol was exploited by a price manipulation attack. Around 50~150 ETH tokens were lost due to slippage and 2909 ETH were rescued.
The vulnerability is located in the AutoCompoundApe contract, which was introduced after the audit and thus outside CertiK’s audit scope.
