Reproduced Exploit
ParaSpace Exploit (variant 2) — ApeCoin Staking Supply/Borrow Reentrancy
ParaSpace valued BAYC/MAYC collateral including the ApeCoin staked on the NFTs. The attacker supplys an NFT whose ApeCoin staking position makes the collateral appear oversized, then borrows the pool's reserves beyond the real collateral value. The fix added a withdraw/borrow timelock (documented i…
Loss
part of the Mar 2023 ParaSpace incident; tx 0xe3f0d14c…
Chain
Ethereum
Category
Reentrancy
Date
Mar 2023
Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2023-03-Paraspace_exp_2 in the
evm-hack-registrymirror. Upstream DeFiHackLabs PoC:src/test/…/Paraspace_exp.sol.
Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder. Full verbose trace: output.txt. Verified vulnerable source: ParaProxy, ApeCoinStaking, PoolMarketplace, InitializableAdminUpgradeabilityProxy.
Key info#
| Loss | part of the Mar 2023 ParaSpace incident; tx 0xe3f0d14c… |
| Vulnerable contract | ParaSpace ParaProxy 0x638a98… (NFT money market) + ApeCoinStaking |
| Chain / block / date | Ethereum mainnet / Mar 2023 |
| Bug class | ApeCoin-staking integration flaw — supply/borrow against BAYC/MAYC with ApeCoin staking positions allowed borrowing more than collateral due to mis-accounted staked ApeCoin (fix: PR #368 withdraw/borrow timelock). |
TL;DR#
ParaSpace valued BAYC/MAYC collateral including the ApeCoin staked on the NFTs. The attacker
supplys an NFT whose ApeCoin staking position makes the collateral appear oversized, then borrows
the pool's reserves beyond the real collateral value. The fix added a withdraw/borrow timelock
(documented in the PoC header), confirming the root cause was an accounting/timelock gap on the
staking-collateral interaction.
Root cause#
A collateral-accounting flaw + missing withdraw/borrow timelock in the ApeCoin-staking-collateral integration: staked ApeCoin inflated effective collateral value, and same-tx supply→borrow captured it.
Diagrams#
Remediation#
- Withdraw/borrow timelock (the applied fix, PR #368).
- Correctly value staked ApeCoin collateral; conservative LTV.
nonReentrant+ CEI on supply/borrow with staking hooks.
How to reproduce#
_shared/run_poc.sh 2023-03-Paraspace_exp_2 -vvvvv
- RPC: mainnet archive. Result:
[PASS]— reserves drained via staking-collateral mis-accounting.
Reference: ParaSpace ApeCoin-staking supply/borrow flaw, mainnet, Mar 2023.
Sources & further analysis#
Reproductions & code
- Standalone PoC + full trace: 2023-03-Paraspace_exp_2 (evm-hack-registry mirror).
- Upstream DeFiHackLabs PoC:
Paraspace_exp.sol.
Alerts & third-party analyses
- DeFiHackLabs incident explorer: search "ParaSpace Exploit (variant 2)".
- Web3Sec X hacked database: search.
- Rekt leaderboard: search.
- Solodit incident search: search.
These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.