On June 8, 2022 ApolloX token (APX) dropped by 52.12% resulting from a hack that used a function claim() in ApolloxExchangeTreasury repeatedly. The attacker received about 53 Million $APX tokens from the contract and then swapped them via PancakeSwap for $BUSD or ~$2,150,414 Million USD at time of writing.
They are using standard ECDSA from Openzeppelin version 3.2.0. The generation of signatures is outside of this contract therefore out of our audit scope.
ApolloX officially announced that they were hacked the same day as the incident. An attacker exploited a flaw in the trading rewardst to accumulate signatures that they then used to withdraw $APX tokens and swap those for $BUSD. ApolloX temporarily disabled the withdraw function on DEX for approximately 4 hours, resolved the issue, and resumed the withdraw function on DEX. ApolloX published on all their social media platforms that they plan to make up for the losses via the open repurchase of APX and APX earned from exchange trading fees. Twitter link of their announcement: ApolloX on Twitter
The project was launched in December 2021, and APX is the native token of the ApolloX Exchange. APX is a BEP-20 token on the Binance Smart Chain (BSC).
The attacker claimed ApolloX Tokens using these transactions:
Then swapped on PancakeSwap:
~5 Million APX for 246,560 BUSD https://bscscan.com/tx/0xc2607de512e31737659b78e8b6f6cc4a82b10f3da953e901e95a0c7beea440de
~7 Million APX for 291,276 BUSD https://bscscan.com/tx/0xe944b576b46402c830bf79062ba22728c55c87c73062f944f01d71d7fb707f53
~7 Million APX for 246,243 BUSD https://bscscan.com/tx/0x55c45952611cdd1b1d1c168c1b0bd6198ff64c71abb67aecda8ffa4057758cc6
~7 Million APX for 213,971 BUSD https://bscscan.com/tx/0x57030b6e64f81b854601abc5953837d4d7b3f2534593a1f48485fffd37630b94
~7 Million APX for 160,999 BUSD
~7 Million APX for 115,535 BUSD
~7 Million APX for 183,061 BUSD https://bscscan.com/tx/0x72c7c6b8c73d4e70905c48f7fcc6a5c4a0ba27323067e7bbf2fae8f2cf80be02
~7 Million APX for 143,451 BUSD https://bscscan.com/tx/0x902ebbe7418c719032b524be101c2f3d88f8e061f85e19c5b6ab62a4b65b83c0
The attacker called multiple contracts which in turn called function claim() in ApolloxExchangeTreasury repeatedly. The function successfully validated the input message and signature with ECDSA.recover(), and transferred the corresponding token amount from the contract to the attacker.
The attacker dumps the APX token for BUSD via PancakeSwap.
The attacker earned about ~2.1 Million BUSD
These assets were then transferred to ZAP bridge in the following 3 transactions:
The assets are later transferred to 0x9E532b19Abd155Ae5ced76cA2a206A732c68f261 on Etherscan [0x9e532b19abd155ae5ced76ca2a206a732c68f261] (https://etherscan.io/address/0x9e532b19abd155ae5ced76ca2a206a732c68f261#tokentxns)
They are using standard ECDSA from Openzeppelin version 3.2.0. The generation of signatures should be outside of contract audit.
Centralized control of signature is included in findings related to “Centralization Related Risks.”