The NFT collection of Bored Ape Yacht Club (BAYC) has introduced its own cryptocurrency for its members — ApeCoin. Owners of the Bored Ape Yacht Club or Mutant Ape Yacht Club NFT tokens could claim a certain number of free tokens. After submitting the application, investors could either sell the assets and make a profit, or keep them for themselves.
After the launch of the cryptocurrency, 93 million tokens were sold and sent out, which attracted the attention of many intruders and hackers. Each BAYC owner received 10,094 tokens worth from $80 thousand to $200 thousand.
Researchers from Check Point Research have found evidence that attackers can claim airdrop tokens (free distribution) using NFT, which they did not originally own. Hackers used airdrop to obtain a large number of tokens using the so-called flash loan attack (flash loan).
Flash credit is a method of lending and repayment of a loan for a single transaction on the blockchain network. In practice, the borrower must repay the loan before the end of the block (which takes a few seconds), and if this is not done, the loan will not be executed, and the money will be returned to the lender. Unlike a regular loan, the user does not need collateral and does not need to go through the identification process. The process of borrowing and lending is automated. If successful, both the lender and the borrower benefit from the loan. If something goes wrong, the transaction is canceled, and neither side makes a profit.
The difference in the price of tokens on different exchanges gives traders a small window for quick profit. Traders use flash credit in order to buy coins at a low price on one exchange and sell them at a higher price on another exchange, making a quick profit and paying off the loan in the same transaction.
Attackers using flash loans find ways to manipulate the market while observing the rules of the blockchain. Hackers trick the lender into believing that the loan is fully repaid, even if it is not. In some cases, attackers exploit vulnerabilities in smart contracts.
All an attacker needs to do is find the BAYC NFTs that were not used to receive the token during the airdrop, and use a protocol called NFTX. The NFTX protocol allows users to deposit their NFTs into the repository, and in return to mint a token that can be traded on platforms such as Sushi, Uniswap and Bancor.
The attacker bought the ape 1060 token on OpenSea to use the flash credit of the NFTX protocol. Then, with the help of a flash loan, the criminal borrowed a large number of NFTX tokens. The hacker used the NFT to get 60,564 apecoins, return the NFT to NFTX and repay the loan, all in one transaction.
The main mistake was that ApeCoin airdrop did not check how long the holder had Bored Ape NFT tokens. Instead, any token owner could claim it at the time of receiving the airdrop. All an attacker needs to do is take possession of it for a short time and take part in the airdrop.
In the AirdropGrapesToken contract, the ClaimableTokens() function calls the getClaimableTokenAmountAndGammaToClaim() function to calculate the number of apecoins based on how many NFTs the calling party has, and does not take into account how long the calling party has owned these NFTs.