Yesterday, Yuga Labs, the creators of Bored Ape Yacht Club (BAYC), airdropped ApeCoin (APE) to anyone who owns one of their NFTs.
The team allocated 150 million tokens or 15% of the total ApeCoin supply to holders of Bored Ape Yacht Club and Mutant Ape Yacht Club collections, amounting to a staggering value of more than $800 million. Each BAYC holder got 10,094 tokens, valued anywhere between $80,000 to $200,000.
But someone found a way to claim the airdrop, using NFTs that they did not initially own. They took advantage of the specific way the airdrop works to carry it out. And it was a very effective move that netted them $1.1 million in ApeCoin.
The trick was that the ApeCoin airdrop was not handed out based on a snapshot of who owned which Bored Ape at a specific time in the past. Instead, it was claimable by anyone who owns a Bored Ape at the point of claiming the airdrop. So if you gave someone your Bored Ape — and you hadn’t already claimed the tokens — they would be able to claim your tokens.
This meant all the person had to do was get a hold of some Bored Apes that hadn’t had their tokens claimed — and they would only need to be in possession of these Apes for a brief moment to claim the airdrop. In fact, they could be handed back straight away.
So, what happened?
For this maneuver, the person started by finding a vault that contained five Bored Ape NFTs, which hadn’t been used to claim the airdrop.
A vault is a way to tokenize an NFT or a set of NFTs. What happens is you take a group of NFTs, put them in the vault and you create a token. This token can then be staked to earn token rewards, or it can be sold (representing part of the value of the collection of NFTs). Anyone who owns enough of the tokens can redeem them for the underlying NFTs.
This vault was created on a protocol called NFTX. It contained five Bored Apes: #7594, #8214, #9915, #8167, and #4755 worth about 500 ETH ($1.4 million) based on the current floor price. Since the NFTs were locked up in the vault and not controlled by any one party, nobody had used them to claim the airdrop.
The person wanted to unlock the NFTs to use them to claim the airdrop, but they didn’t want to buy them outright — something that would be expensive to do.
So they used a flash loan, a tool commonly used for large DeFi hacks, to carry out this plan. Flash loans are a way to borrow large amounts of crypto at low cost, on the basis that the crypto is repaid in the same transaction in the same block (meaning that the funds are never at risk of not being repaid).
In this case, they bought a Bored Ape on NFT marketplace OpenSea for under $300,000 and used it as collateral to take out the flash loan. The flash loan was then used to purchase a large amount of the vault’s token, letting them redeem the five NFTs. The NFTs were used to claim the airdrop — all in this one, complex transaction — before all of them were then returned, the tokens sold back and the loan repaid.
In this process, they managed to claim an airdrop of 60,564 ApeCoin. They then sold these tokens on the decentralized exchange Uniswap for 399 ETH ($1.1 million). After, they sold back the original Bored Ape NFT that was used as collateral to the same NFTX vault.
OpenSea has since tagged the five NFTs — excluding the one used as collateral — in the vault for suspicious activity.
Attack or arbitrage?
Even though many social media commentators hailed the incident as an innovative arbitrage trade, security firm BlockSecTeam disagreed. It has labeled this as an attack that exploited an issue in the airdrop-claiming mechanism.
BlockSecTeam told us that based on its analysis, the user likely took advantage of a “vulnerability” in yesterday’s airdrop event.
“We think it’s an attack as the airdrop mechanism has a vulnerability. The airdrop claim depended on the spot state, whether a user held the NFT at that time of claim and the attacker exploited this vulnerability to profit,” BlockSecTeam said.
One way this could have been avoided is if the airdrop had taken into account how long a person owned the NFT before the reward could be claimed.
Since Yuga Labs did not take a snapshot — a method that’s common for most airdrops — it meant that anyone could buy the NFT in real time to claim it. This is likely the primary reason why the BAYC sales spiked so soon after the airdrop announcement.