User makes flash loan attack and profits 820k USD with ApeCoin

The launch of ApeCoin (APE), an exclusive cryptocurrency for Bored Apes holders, was an immediate success. However, the repercussion of the APE also attracted the attention of numerous coups. In one of them, a user managed to profit a few ETH through a fraudulent operation.

According to security firm CertiK, the unknown user used system rules and received over 60,000 APE. He then performed a series of complex operations, which can be summarized as follows:

• bought all BAYCs in the NFTX liquidity pool;
• they took the aidrop (ApeCoin) from each BAYC;
• sold the BAYCs (no airdrop available) back to the NFTX liquidity pool;
• sold the ApeCoin and pocketed the profit.

At the end of the operation, the user would have profited US$ 820 thousand in Ethereum (ETH). CertiK created a thread on Twitter where it explains all the details about the attack.

Incident Analysis

1. The attacker bought NFT No.1060 from OpenSea, which was later used as the flash loan fee to flash loan 5.2 BAYC tokens from the “NFTX Vault”

2. Then used the BAYC tokens borrowed in step 1 to redeem BAYC NFTs (NFT token ID: 7594, 8214, 9915, 8167, 4755) pic.twitter.com/YlU8nWI41n

— CertiK Alert (@CertiKAlert) March 17, 2022

Short term loans

As Cryptheory reported, APE had a strong jump in its price shortly after its launch. The appreciation reached 47%, taking the cryptocurrency to the Top 100 of CoinMarketCap.

At the same time, the demand for BAYCs also increased, as only the owners of the NFTs would be entitled to the APE airdrop. So people rushed to buy the monkeys, which drove up the price of the collection as a whole.

In this sense, the unknown user took advantage of this increase in demand and bought a copy, the BAYC #1060. The purchase gave you the right to participate in the airdrop and therefore earn an amount of APE.

With a copy in hand, the user used the NFT as collateral to get five more BAYCs through the Vault NFTX platform. This platform allows the creation of liquidity for NFTs that find it difficult to trade.

In Vault NFTX, users can deposit their NFTs in the vault and create a fungible ERC20 token. This token, in turn, can be redeemed in exchange for vault-specific NFTs. In possession of the tokens, the user redeemed the following BAYX: #7594, #8214, #9915, #8167 and #4755.

Mass claim

With six BAYC in hand instead of just one, the user can claim more APE during the airdrop. According to CertiK, he managed to accumulate around 60,564 APE.

This was made possible through a flaw identified by the company in the airdrop distribution algorithm. The function The function GetClaimabletokenAmountAndGammatoclakllaim(), used to calculate the amount of EPA each person can claim.

According to CertiK, the function calculates how many APEs will be delivered according to the amount of BAYC the claimant has. However, it does not take into account how long the user has had these NFTs.

That is, the function distributes the APEs regardless of whether the person bought NFTs a year ago or five minutes ago. Without this differentiation, there was a loophole that many people used to arbitrate and get airdrops.

It was precisely the case of the user in question, who obtained a millionaire sum. After obtaining the APEs, he sold most of them in exchange for ETH, making a big profit.

Ultimately, the attacker exchanged the borrowed BAYC back for ERC-20 tokens, paying the loan and network fees. Ultimately, the operation resulted in a profit of 293 ETH.