BAYC ApeCoin Suffers $800k Flash Loan “Attack” During Airdrop

Posted on mar. 30, 2022 | BLOG



The March airdrop of new token ApeCoin (APE), the utility and governance token for the world’s biggest non-fungible token (NFT) project Bored Ape Yacht Club (BAYC) and its grand metaverse plans, caused mass hysteria in the crypto space. Investors and traders alike scrambled to cash in on this multi-billion shot in the arm for markets beaten up by bearish global political and economic events. 

Where there’s greed, there’s usually scammers ready to cash in. An anonymous crypto user took advantage of the airdrop to rake in about $800,000 by preemptively taking a flash loan, then renting and selling BAYC NFTs in a stunning move that has left the crypto community divided between alarm and quiet admiration. 

The person was able to use a flash loan to rent five BAYC NFTs at just the right moment, making them eligible for the ApeCoin airdrop. They were then able to pay back the loan with the proceeds from the ApeCoin sales and still take in a tremendous profit.

Let’s take a look at what ApeCoin is, what happened with the flash loan exploit, and how the cryptoverse is reacting. It’s likely we’ll see this fascinating maneuver again. 

What is ApeCoin and How is it Connected To BAYC? 

ApeCoin ($APE) is a token project related to the Bored Ape Yacht Club, the top NFT project with sales totaling over $1 billion. BAYC is the first bluechip NFT project to be crossing over into the metaverse, and now it’s getting its own token. The team behind it has acquired the IP for other pioneering NFT collections such as Larva Lab’s CryptoPunks and Meebits. The apes themselves have become something of a status symbol, with ownership touted by a horde of celebrities, from Snoop Dogg, Eminem to Jimmy Fallon, and most recent additions Wiz Khalifa and Madonna.

Recently, a leaked BAYC pitch deck that was dismissed as outdated by the founders mentioned plans for ApeCoin as well as a video game-based metaverse where virtual land will be for sale. Meanwhile, it’s been reported that venture capital firm Andreessen Horowitz is considering raising funds for Yuga Labs, which created BAYC and holds the copyright for the franchise. The valuation for the company is said to be set at $5 billion.

Technically speaking, ApeCoin emerged from the ApeCoin DAO, a decentralized autonomous organization that is governed by token holders as well as the rotating board of something called the Ape Foundation. Nevertheless, it’s common knowledge that the force behind ApeCoin is Yuga Labs, with the company claiming zero responsibility for ApeCoin presumably to keep security regulations at arm’s length.

What Happened with the ApeCoin Flash Loan Exploit?

The team behind ApeCoin set aside 150 million tokens to hand over to anyone who held a Bored Ape Yacht Club NFT or its spinoff Mutant Ape Yacht Club. This amounted to about $800 million in ApeCoin, with every BAYC NFT owner being able to claim 10,094 tokens.

Since the airdrop was not based on any kind of snapshot that would prove duration of ownership, anyone who held one of the NFTs at the right moment would be able to claim the airdrop for themselves.

The exploit scheme depended on finding a vault that contained tokenized NFTs. The tokens created can be staked, sold, or the underlying digital asset (NFT) can be redeemed. Essentially, this type of special vault turns non-fungible assets into more liquid assets. Tucked away in a vault set up by the protocol NFTX, the exploiter found five BAYC NFTs with a total worth of $1.4 million that fit the bill perfectly.

Not wishing to actually buy the NFTs, the exploiter took out a flash loan, a kind of low-cost loan that depends on the principal getting paid back within the same transaction block. Using a BAYC NFT they purchased on OpenSea for less than $300,000 as collateral, the person bought a large quantity of the token for the above-mentioned NFTX vault, which allowed them to redeem the underlying BAYC NFTs.

They were then able to claim 60,564 ApeCoins, which they unloaded on decentralized exchange Uniswap for a cool $1.1 million. The flash loan was repaid, the NFTs were returned, and the original collateralized ape was sold, netting over $800,000  – all within the span of one Ethereum block. To make matters even more interesting, it’s likely the exploiter found their arbitrage opportunity using a bot

The Takeaway

While there has been some praise for the exploiter, who some consider to be more of an arbitrageur compared to the Cream Finance flash loan attacks, others have called the incident an “attack,” such as security firm BlockSecTeam, which said the person was taking advantage of a flaw in the airdrop. The company said that since the airdrop relied on the spot state of BAYC NFTs rather than the common snapshot method used for airdrops, the incident should be considered an exploit. 

Whether anyone considers this an ethical trading maneuver is besides the point. The NFT and DeFi spaces are rapidly increasing in value and so are the bad actors targeting its vulnerabilities and inefficiencies, as the recent OpenSea exploit showed. 

Besides keeping up-to-date on happenings related to your NFTs, it’s prudent to safekeep your personal assets in a reputable wallet. For your institutional digital assets, CYBAVO’s products offer support for ERC-721 and ERC-1155 to provide full protection for all your NFTs. With the increased number of transactions and high-value NFTs continuously entering the market, it’s more important than ever –especially at the institutional level– to implement a protection mechanism to safeguard these valuable assets.

To learn more about CYBAVO’s NFT support and upcoming features, don’t hesitate to reach out to your CYBAVO sales representative or contact us here!