link.png

ID:

apecoin-30

Date:

Status:

Incident Count:

March 18, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

None

Loss Amount:

230,000

info.png

Recovered:

-

Rewards:

Currency:

USD, ETH

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Assets

Token

Flash Loans

Extended Method:

Logic error, Input validation does non consider how long the caller own the NFTs

info.png

Days in Operation:

225

(0.62 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

An exploiter claimed a large amount of the APECOIN in the airdrop event by flashloan using $BYAC tokens to redeem for #BAYC NFTs.

1. The attacker bought NFT No.1060 from OpenSea, which was later used as the flash loan fee to flash loan 5.2 BAYC tokens from the "NFTX Vault"
2. Then used the BAYC tokens borrowed in step 1 to redeem BAYC NFTs (NFT token ID: 7594, 8214, 9915, 8167, 4755)
3. Then claimed 60,564 ApeCoin tokens as a reward in the Airdrop contract and sold the majority of $APE on the market to #ETH.
4. Minted BAYC NFTs to BAYC tokens to pay back the flash loan and fees.

In total, the attacker got 60,564 APE token, which worthed around 500K USD (at the time of writing this blog, the price of APE is $8 ). The cost is one NFT (106 ETH — 14 ETH), which is around 270K USD.

Contracts Vulnerability Analysis:
The getClaimableTokenAmountAndGammaToClaim() function in the AirdropGrapesToken contract to calculate the amount of ApeCoin to claim based on how many NFT the caller has doesn't consider how long the caller owns those NFTs.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.