Reproduced Exploit

ParaSpace Exploit (variant 2) — ApeCoin Staking Supply/Borrow Reentrancy

ParaSpace valued BAYC/MAYC collateral including the ApeCoin staked on the NFTs. The attacker supplys an NFT whose ApeCoin staking position makes the collateral appear oversized, then borrows the pool's reserves beyond the real collateral value. The fix added a withdraw/borrow timelock (documented i…

Mar 2023EthereumReentrancy2 min read

Loss

part of the Mar 2023 ParaSpace incident; tx 0xe3f0d14c…

Chain

Ethereum

Category

Reentrancy

Date

Mar 2023

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2023-03-Paraspace_exp_2 in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/Paraspace_exp.sol.


Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder. Full verbose trace: output.txt. Verified vulnerable source: ParaProxy, ApeCoinStaking, PoolMarketplace, InitializableAdminUpgradeabilityProxy.


Key info#

Losspart of the Mar 2023 ParaSpace incident; tx 0xe3f0d14c…
Vulnerable contractParaSpace ParaProxy 0x638a98… (NFT money market) + ApeCoinStaking
Chain / block / dateEthereum mainnet / Mar 2023
Bug classApeCoin-staking integration flaw — supply/borrow against BAYC/MAYC with ApeCoin staking positions allowed borrowing more than collateral due to mis-accounted staked ApeCoin (fix: PR #368 withdraw/borrow timelock).

TL;DR#

ParaSpace valued BAYC/MAYC collateral including the ApeCoin staked on the NFTs. The attacker supplys an NFT whose ApeCoin staking position makes the collateral appear oversized, then borrows the pool's reserves beyond the real collateral value. The fix added a withdraw/borrow timelock (documented in the PoC header), confirming the root cause was an accounting/timelock gap on the staking-collateral interaction.


Root cause#

A collateral-accounting flaw + missing withdraw/borrow timelock in the ApeCoin-staking-collateral integration: staked ApeCoin inflated effective collateral value, and same-tx supply→borrow captured it.


Diagrams#

flowchart TD S["supply BAYC w/ ApeCoin staking position"] --> B["borrow > real collateral (staking inflates value)"] B --> OUT(["reserves drained"]) style B fill:#ffcdd2,stroke:#c62828,stroke-width:2px style OUT fill:#c8e6c9,stroke:#2e7d32

Remediation#

  1. Withdraw/borrow timelock (the applied fix, PR #368).
  2. Correctly value staked ApeCoin collateral; conservative LTV.
  3. nonReentrant + CEI on supply/borrow with staking hooks.

How to reproduce#

BASH
_shared/run_poc.sh 2023-03-Paraspace_exp_2 -vvvvv
  • RPC: mainnet archive. Result: [PASS] — reserves drained via staking-collateral mis-accounting.

Reference: ParaSpace ApeCoin-staking supply/borrow flaw, mainnet, Mar 2023.


Sources & further analysis#

Reproductions & code

Alerts & third-party analyses

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.