TL:DR
On June 8, 2022 ApolloX token (APX) dropped by 52.12% resulting from a hack that used a function claim() in ApolloxExchangeTreasury repeatedly. The attacker received about 53 Million $APX tokens from the contract and then swapped them via PancakeSwap for $BUSD or ~$2,150,414 Million USD at time of writing.
They are using standard ECDSA from Openzeppelin version 3.2.0. The generation of signatures is outside of this contract therefore out of our audit scope.
Event Summary
ApolloX officially announced that they were hacked the same day as the incident. An attacker exploited a flaw in the trading rewardst to accumulate signatures that they then used to withdraw $APX tokens and swap those for $BUSD. ApolloX temporarily disabled the withdraw function on DEX for approximately 4 hours, resolved the issue, and resumed the withdraw function on DEX. ApolloX published on all their social media platforms that they plan to make up for the losses via the open repurchase of APX and APX earned from exchange trading fees. Twitter link of their announcement: ApolloX on Twitter
The project was launched in December 2021, and APX is the native token of the ApolloX Exchange. APX is a BEP-20 token on the Binance Smart Chain (BSC).
Exploit Transactions
The attacker claimed ApolloX Tokens using these transactions:
https://bscscan.com/tx/0x21e5e6ee42906a840c07eb39fb788553a3fbb5794562825c2a1d37bfc910e5f7
https://bscscan.com/tx/0x67a90c1af85c626460b928ccfde66432dd828b838038ef15400c577ee5386926
https://bscscan.com/tx/0xccc9e8ebf0472272b83e328a11e5aa5eb712c831dcd5bae32622dc238005aee0
https://bscscan.com/tx/0x34b29a393b68ae0f2e417485fb57ea7510a253c1b01431d04a66ca61e4fbbc8c
Then swapped on PancakeSwap:
~5 Million APX for 246,560 BUSD https://bscscan.com/tx/0xc2607de512e31737659b78e8b6f6cc4a82b10f3da953e901e95a0c7beea440de
~7 Million APX for 291,276 BUSD https://bscscan.com/tx/0xe944b576b46402c830bf79062ba22728c55c87c73062f944f01d71d7fb707f53
~7 Million APX for 246,243 BUSD https://bscscan.com/tx/0x55c45952611cdd1b1d1c168c1b0bd6198ff64c71abb67aecda8ffa4057758cc6
~7 Million APX for 213,971 BUSD https://bscscan.com/tx/0x57030b6e64f81b854601abc5953837d4d7b3f2534593a1f48485fffd37630b94
~7 Million APX for 160,999 BUSD
https://bscscan.com/tx/0xf25688d3651bbade2cb67835050678ad4ab6f15f140a162fc2c3eed1821f8ec0
~7 Million APX for 115,535 BUSD
https://bscscan.com/tx/0xdf7e67aa67b8e56265cb05866d026015d0d6cafcefff5ba957b849df66a34284
~7 Million APX for 183,061 BUSD https://bscscan.com/tx/0x72c7c6b8c73d4e70905c48f7fcc6a5c4a0ba27323067e7bbf2fae8f2cf80be02
~7 Million APX for 143,451 BUSD https://bscscan.com/tx/0x902ebbe7418c719032b524be101c2f3d88f8e061f85e19c5b6ab62a4b65b83c0
Attack Flow
The attacker called multiple contracts which in turn called function claim() in ApolloxExchangeTreasury repeatedly. The function successfully validated the input message and signature with ECDSA.recover(), and transferred the corresponding token amount from the contract to the attacker.
The attacker dumps the APX token for BUSD via PancakeSwap.
Contracts Vulnerability
Profit and assets tracing
The attacker earned about ~2.1 Million BUSD
These assets were then transferred to ZAP bridge in the following 3 transactions:
0x3d141a94a914947b3cc611f3e44d81be9f3147a9afaf168c57c4b5c638b16f71
0x07e4438429c55cfc1d1b2fcb8eb10cadc579d0b16c7b78af78a26448bc8b1d28
0x25ee8fc7d26ef11bce3d546517134b125d306f00bba253a2c13e6dcdc35b64f2
The assets are later transferred to 0x9E532b19Abd155Ae5ced76cA2a206A732c68f261 on Etherscan [0x9e532b19abd155ae5ced76ca2a206a732c68f261] (https://etherscan.io/address/0x9e532b19abd155ae5ced76ca2a206a732c68f261#tokentxns)
Would we spot this issue during the audit?
They are using standard ECDSA from Openzeppelin version 3.2.0. The generation of signatures should be outside of contract audit.
Centralized control of signature is included in findings related to “Centralization Related Risks.”
