A Bored Ape Yacht Club (BAYC) non-fungible token (NFT) owner has reportedly exploited a vulnerability in the smart contract that airdropped ApeCoin (APE) tokens to community members, walking away with nearly USD 380,000 in profits.
The exploit of the ApeCoin airdrop was explained in detail by the digital asset manager and trading platform provider Amber Group, which said it is likely the first exploit to be executed with NFTs and NFT automated market makers (AMMs) on Ethereum (ETH).
According to the rather technical walkthrough of the exploit that Amber Group published on its blog, in order to get ETH 14.15 (USD 42,710) and APE 60,564 (USD 656,514), the exploiter paid ETH 106 (USD 319,944) -- meaning, he walked away with a profit of USD 379,280 by current prices.
The exploit happened just minutes after the ApeCoin Decentralized Autonomous Organization (DAO) had initiated its airdrop, while gas prices on Ethereum were still elevated as users rushed to claim their new APE tokens.
“5 minutes after the airdrop was initiated, one well-prepared claimer leveraged the BAYC liquidity on NFTX for a pretty clever arbitrage/exploit,” Amber Group said about the incident on Twitter.
And while the person exploiting the smart contract was able to more than double their initial investment, Amber Group said in the blog post that they were still able to reproduce the results.
“Based on the aforementioned information, we can reproduce the exploit by purchasing some BAYC vTokens on SushiSwap and using those vTokens as redemption/minting fees,” the firm wrote. It added that all available APE tokens could be redeemed by using a “flash loan” function.
Flash loans are a type of uncollateralized loan that is sometimes enabled by decentralized finance
Read more on cryptonews.com