22 Mar 2022 · 2 min read

ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K

Source: AdobeStock / Sergey Nivens

 

A Bored Ape Yacht Club (BAYC) non-fungible token (NFT) owner has reportedly exploited a vulnerability in the smart contract that airdropped ApeCoin (APE) tokens to community members, walking away with nearly USD 380,000 in profits.

The exploit of the ApeCoin airdrop was explained in detail by the digital asset manager and trading platform provider Amber Group, which said it is likely the first exploit to be executed with NFTs and NFT automated market makers (AMMs) on Ethereum (ETH).

According to the rather technical walkthrough of the exploit that Amber Group published on its blog, in order to get ETH 14.15 (USD 42,710) and APE 60,564 (USD 656,514), the exploiter paid ETH 106 (USD 319,944) -- meaning, he walked away with a profit of USD 379,280 by current prices.

The exploit happened just minutes after the ApeCoin Decentralized Autonomous Organization (DAO) had initiated its airdrop, while gas prices on Ethereum were still elevated as users rushed to claim their new APE tokens.

“5 minutes after the airdrop was initiated, one well-prepared claimer leveraged the BAYC liquidity on NFTX  for a pretty clever arbitrage/exploit,” Amber Group said about the incident on Twitter.

And while the person exploiting the smart contract was able to more than double their initial investment, Amber Group said in the blog post that they were still able to reproduce the results.

“Based on the aforementioned information, we can reproduce the exploit by purchasing some BAYC vTokens on SushiSwap and using those vTokens as redemption/minting fees,” the firm wrote. It added that all available APE tokens could be redeemed by using a “flash loan” function.

Flash loans are a type of uncollateralized loan that is sometimes enabled by decentralized finance (DeFi) protocols. The loans have been at the core of a number of DeFi exploits and other incidents in recent years.

“With the help of our in-house blockchain data analytics platform, we identified 8,647 of 10k BAYCs as having been used to claim the free ApeCoin as of the end of Mar 21, 2022. This means at the time of writing, one can still collect some Apes, claim the ApeCoin airdrop, and make a profit,” Amber Group’s researchers concluded the article by saying.

Cryptonews.com has reached out to ApeCoin DAO for a comment.

As of 12:04 UTC, the price of APE did not seem to have been affected by the incident. The token is up by 3.5% over the past 24 hours, trading at a price of USD 10.84.

____

Learn more: 
- DeFiance Founder's USD 1.76M Loss is a Lesson For NFT Investors
- BlockFi, Swan Bitcoin, Pantera Advise Users How to Stay Safe After Data Got Hacked in Hubspot CRM Raid

- Another Suspect in Ethereum's DAO Hack Emerges, Putting Coin Mixing Under Question
- IRA Financial Trust Hack Reportedly Sees USD 36M in Crypto Stolen From Users

- Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes 
- Santa Hackathon? Visor Finance Marks 7th Hack in December