Security firm BlockSec prevented a hacker from stealing $5 million from the NFT Paraspace lending project.
BlockSec, a unit specializing in smart contract audits, promptly detected and successfully prevented the theft of 2,900 ETH (worth 5 million USD) on the NFT Paraspace lending project.
On the afternoon of March 17, taking advantage of the time when gas fees were cheap, the culprit found a way attack on the Paraspace platform. However, the “on-chain police” BlockSec soon discovered and stopped the hacker’s plot, promptly controlling 2,900 ETH ($5 million) that was in danger of being lost to Paraspace.
1/ There is a flawed logic in borrow() of the ParaProxy contract (0x638a) of @ParaSpace_NFT . The attacker can borrow more tokens as his scaledBalance will be enlarged by depositing into the position of the proxy (0xC5c9), ie, specifying the _recipient of depositApeCoin(). https://t.co/Z4e1QOpLg3 pic.twitter.com/fkd96nAPHb
— BlockSec (@BlockSecTeam) March 17, 2023
BlockSec then informed the lending project and Paraspace immediately halted the protocol to clarify the issue. The project also asserts that all NFTs deposited into the platform are currently safe.
We noticed a suspicious transaction, and as a security measure, we have paused the entire ParaSpace protocol.
Currently, no transactions (withdrawals, deposits, liquidations) can take place with our contracts.
We are currently investigating and will provide you with an update… https://t.co/3vrIciVF5C
— ParaSpace (@ParaSpace_NFT) March 17, 2023
According to BlockSec, the vulnerability resides in Paraspace’s lending contracts, allowing an attacker to easily borrow tokens with very little collateral in NFT, thereby draining the platform’s liquidity. Lei Wu – co-founder and CTO of BlockSec revealed that BlockSec prevented the hack with an internal real-time incident detection system.
Notably, the hacker also sent an on-chain message asking BlockSec to return the gas fee of about 0.7 ETH that this guy spent trying to hack Paraspace. The money collector wrote:
“I couldn’t complete the transaction because of a stupid gas calculation error. I lost a lot of money on this, it would be nice to get some back… good luck.”
But this is not the first time BlockSec has alarmed and protected capital for projects. BlockSec once rescued $3.8 million from hacker Saddle Finance in April 2022 and successfully recovered $2.4 million from Platypus Finance hackers.