ParaSpace hack in retrospect: $5M rescued, large withdrawals time-locked, hacker wants fees back ParaSpace hack in retrospect: $5M rescued, large withdrawals time-locked, hacker wants fees back
The affected cryptocurrency project ultimately lost no significant funds.
2 min read
Updated: Mar. 18, 2023 at 3:25 am UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
The crypto and NFT staking platform ParaSpace experienced an attempted exploit that put $5 million at risk, according to various reports on March 17.
ParaSpace confirms vulnerability
ParaSpace acknowledged an attack on its contracts early in the day. It paused its protocol and later said it had found the cause of the exploit.
The project additionally stated that all user funds, including NFTs were safe. ParaSpace lost 50 to 150 ETH (less than $270,000) due to price slippage during the attack and the recovery. ParaSpace said it will cover those protocol losses. Furthermore, it said that it will provide a 5% bounty to BlockSec, which informed it of the issue.
When asked about past audits, ParaSpace admitted that the issue existed despite nine audits from multiple companies — some of which occurred just months ago.
ParaSpace said it is patching the issue and noted that the protocol pause will remain until further audits. Though ParaSpace has not announced a reactivation time, it has added another limitation: large withdrawals will be time-locked.
BlockSec intercepted attacker
Crypto security firm BlockSec first reported the attack against ParaSpace at 6:50 a.m. UTC on March 17. Around that time, it intercepted the hacker and rescued 2,900 ETH ($5 million). The company attempted to contact ParaSpace but received no response.
According to BlockSec, a vulnerability in one of ParaSpace’s smart contracts allowed the attacker to borrow additional tokens through a six-step process.
BlockSec also revealed in statements to The Block that it used the hacker’s own exploit — even re-redeploying a version of the original attack contract — to recover the stolen funds forcibly. BlockSec held the rescued funds and returned them to ParaSpace.
The hacker later sent a message to BlockSec in a blockchain transaction that asked for 0.7 ETH ($1,250) of gas fees to be returned. The attacker wrote, “I lost a lot of money trying to make it work” and added: “it would be cool to get at least some of [that money] back.”
ParaSpace is a platform that allows users to stake other assets, including non-fungible tokens (NFTs) and ERC-20 tokens. Its site advertises Bored Ape Yacht Club (BAYC) staking, though the two projects are not officially associated.
Posted In: Hacks
Author 
Mike Dalton
Before transitioning to crypto writing in 2018, Mike studied library and information sciences. Currently, he resides on Canada's West Coast.
