Research by : Dikla Barda, Roman Zaikin, Oded Vanunu
Highlights:
The Bored Ape Yacht Club NFT collection announced this week that their members would be having their own cryptocurrency: ApeCoin.
The BoredApe Yacht club is today one of the largest non-fungible tokens (NFTs).
In an announcement yesterday it was stated that if you hold a Bored Ape Yacht Club or Mutant Ape Yacht Club NFT in your wallet, you can claim a certain amount of free tokens. After claiming, investors could either sell for a profit or hold their tokens.
The claim is open for 90 days, and post its launch got already 93 million tokens sold/airdropped, an announcement that caught the attention of many threat actors and hackers.
Each BAYC holder got 10,094 tokens, valued anywhere between $80,000 and $200,000.
Eventually, our researchers found evidence of a threat actors being able to claim the airdrop, using NFTs that they did not initially own.
Hackers used this airdrop to claim a large number of tokens by using a flash loan attack, and by using this attack method they were able to gain quick millions of USD.
We can’t say that the BoredApe Yacht club hasn’t been warned.
2 days ago people were talking about the possibility of the flash loan on Twitter:
Source: Twitter
In order to understand the flow, we should start by explaining what exactly is flash loan attack and how does it work.
A Flash loan is a method of lending and returning the loan on a single transaction in the blockchain network.
In practice, the borrower has to return the loan before the end of the block (which takes a few seconds), and failing to do so, the loan will fail and the money will be returned to the loner.
Unlike a regular loan, you don’t need any collateral, or to even go through the identification process, hackers like to use the flash loan, since they don’t even have to risk their own capital, and the wallets don’t get traced back to them, since they are using someone else’s funds.
The borrowing and lending process is automated, and when everything works out, both the lender and borrower benefit from the loan. If anything goes wrong, the transaction is canceled, and there’s no profit for either one of the parties.
Price difference across different exchanges opens up a small window for traders to generate profits quickly.
These traders make use of this flash loan tool to leverage & buy the coins at a low price from one exchange and sell it at a higher price on another exchange, thus generating quick profits and paying back the loan in the same transaction.
Flash loan attackers thrive on finding ways to manipulate the market while still abiding by The blockchain’s rules.
Hackers are tricking the lender into believing that the loan has been repaid in full, even if it has not.
In some cases, attackers exploit vulnerabilities in smart contracts. This way, the attackers can purchase tokens for cheap or sell them at higher prices to exploited contracts and then used them to repay the loan.
All the attacker has to do is to find BAYC NFT’s that wasn’t used to claim the airdropped ape token, and to do so he used a protocol called NFTX.
NFTX protocol is used to allow users to deposit their NFTs into a vault and in return mint a token that can be traded on platforms like Sushi, Uniswap, and Bancor.
Looking at NFTX he could find BAYC NFTs, and since the NFTs were locked up in the NFTX vault and not controlled by anyone, nobody had used them to claim the airdrop.
As can be seen in the following screenshot:
After the attack, attacker sold the ape coin on the open market and gained $1.5 million.
The main bug was that the ApeCoin airdrop didn’t check how long the holder had the Bored Ape NFT. Instead, it was claimable by anyone who owns a Bored Ape at the point of claiming the airdrop.
This means all an attacker has to do is to possess for a brief moment to claim that airdrop.
We can see in the contract the vulnerable function:
As we can see in the AirdropGrapesToken contract the function claimTokens() calles the
function getClaimableTokenAmountAndGammaToClaim() to calculate the amount of ApeCoin to claim based on how many NFT the caller has and it doesn’t consider how long the caller owns those NFTs.
CPR urges crypto users to protect from the flash loan by verifying that the Ape holder holds it for at least more than a day.
Doing so this way would not enable the attacker to borrow an Ape, redeem the tokens and return them in the same transaction.
Our researchers will continue monitoring further developments on this story and will report accordingly.