The Flashloan Attack on the APE AirDrop to claim $1.1 million of APE Tokens
As reported by Will Sheehan, the APE token has been attacked by the MEVor. Long story short, Yuga Labs, the makers of Bored Ape Yacht Club (BAYC), airdropped ApeCoin (APE) to anyone who owns one of their NFTs yesterday.
The team distributed 150 million tokens, or 15% of the entire ApeCoin supply, to holders of the Bored Ape Yacht Club and Mutant Ape Yacht Club collections, totalling more than $800 million. Each BAYC holder received 10,094 tokens worth between $80,000 and $200,000. However, someone discovered a way to claim the airdrop by using NFTs that they did not own at the time. They used the special way the airdrop works to carry it out. It was a very effective approach, earning them $1.1 million in ApeCoin.
In particular, the attacker can borrow BAYC tokens that can be redeemed to NFTs, and then use these NFTs to claim the AirDrop. After that, the attacker mint the BAYC tokens using the BAYC NFTs to return the flash loan.
For this strategy, the person began by discovering a vault containing 5 Bored Ape NFTs that had not been utilized to claim the airdrop.
A vault is a method of tokenizing an NFT or a group of NFTs. What occurs is that you take a set of NFTs, store them in a vault, and then build a token out of them. This token can then be staked or sold to obtain token rewards (representing part of the value of the collection of NFTs). Anyone with a sufficient number of tokens can exchange them for the underlying NFTs.
This vault was built using the NFTX protocol. It contains 5 Bored Apes: #7594, #8214, #9915, #8167, and #4755, each valued around 500 ETH ($1.4 million) at the current floor price. Nobody had utilized the NFTs to claim the airdrop because they were locked up in the vault and not controlled by any one entity.
The person wanted to unlock the NFTs so they could use them to claim the airdrop, but they didn’t want to buy them directly, which would be costly. To carry out this scheme, they used a flash loan, a method often used for major DeFi hacks.
Flash loans are a low-cost option to borrow large quantities of cryptocurrency, with the expectation that the cryptocurrency would be repaid in the same transaction in the same block (meaning that the funds are never at risk of not being repaid).
In this case, they purchased a Bored Ape on the NFT marketplace OpenSea for less than $300,000 and used it as collateral for the fast loan. The flash loan was then utilized to buy a huge quantity of the vault’s token, allowing them to redeem 5 NFTs. The NFTs were used to claim the airdrop, all in one complicated transaction, before being returned, the tokens sold again, and the debt refunded.
During this process, they were able to receive an airdrop of 60,564 ApeCoin. They subsequently sold these tokens for 399 ETH ($1.1 million) on the decentralized exchange Uniswap. Following that, they returned the original Bored Ape NFT that was used as collateral to the same NFTX vault.
Despite the fact that many social media users hailed the incident as an inventive arbitrage deal, security firm BlockSecTeam disagreed. It has classified this as an assault that took advantage of a flaw in the airdrop-claiming system. BlockSecTeam said that the user likely took advantage of a “vulnerability” in yesterday’s airdrop event.
One way this could have been avoided is if the airdrop had taken into consideration how long a person had to own the NFT before claiming the reward. Since Yuga Labs did not take a snapshot, a method that’s common for most airdrops, anyone may buy the NFT in real-time and claim it. This is most likely the key reason why BAYC sales increased so quickly after the airdrop announcement.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews