Yesterday PawnFi was exploited of NFTs and APE tokens.
This is how the hacker exploited the platform (Refer to the visual below):
1. The attacker found an NFT already staked in the APE Staking Pool by another user. The NFT was used as collateral to borrow APE tokens from the Pawnfi Protocol.
2. They called the "depositAndBorrowApeAndStake()" function of the Pawnfi Protocol contract and passed the NFT ID as an argument. The function was supposed to check if the NFT was transferred to the contract before allowing the borrowing, but it failed to do so due to a flaw in the code.
3. The contract allowed the attacker to borrow APE tokens using the NFT as collateral, even though the NFT was not transferred to the contract and was still owned by another user. The contract also transferred the borrowed APE tokens to the project contract, which was controlled by the attacker.
4. The attacker then called the "depositAndBorrowApeAndStake()" function again, passing the same NFT ID as an argument. This time, the function staked the APE tokens held by the contract in the APE Staking Pool and mistakenly recognized the attacker as the depositor, giving them access to withdraw the APE tokens from the pool.
5. The attacker withdrew the APE tokens from the pool and repeated steps 2 to 4 multiple times, draining more APE tokens from the protocol and causing a loss for other users
Thank you for reading through, and follow me here and on for more regular post updates.
I’d also appreciate it if you shared this with your friends, who would enjoy reading this.
You can find my other research & investment thesis here: https://bit.ly/3CjMvoA
If you find this analysis useful, please consider donating to 0x34ddd9223D9DDb6B56F640824Af6FCC31e1deBF4.
Thank you.
