Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ApolloX Finance is a decentralized derivatives (short, longs, etc.) exchange, with the token APX. The contract was using a signature system for various calls given from an off-chain variant of the service itself.

The signature system was used when a user wanted to make a withdrawal. The off-chain system would send a signature to the user, which could be used to call claim to get their funds. During this, the signature is validated to originate from the backends signature. There is also a claim history to ensure this cannot be simply replayed.

There were two other functions using the signing system as well. In particular, there is a separate contract with the same claim function. The only difference is an extra field being taken from the signed message. By complete luck, the deadline (date) in the second contract was the same field as the reservedAmount variable. Since the amount was large enough (and seen as the deadline date), this verification would pass.

This means that the already expired signature of previously made transactions but the funds would not be sent to the author of the call. Instead, they can get the signed object themselves and perform this action three times instead of one; effectively tripling the amount of money that should be able to obtain from this.

Overall, an interesting problem of reusing cryptographic keys across different areas. This could be have been solved by having different keys for different contracts or having a global system for keying track of signatures. Good find by the hacker on this one!