A vulnerability in the Bored Ape Yacht Club’s (BAYC) airdrop was exploited to steal about $1.5 million in ApeCoin tokens (APE), a research report showed. APE tokens were initially distributed to holders of BAYC NFTs this Thursday, before being available to trade on the open market.
Cybersecurity researcher Check Point Research said the hacker used a method called “flash loan” to quickly borrow BAYC NFTs and redeem a large number of tokens.
The main vulnerability in the airdrop was that BAYC did not check how long the NFT holders had owned the asset, Check Point said. As such, the attacker had to own a BAYC NFT for only a brief moment to claim the token.
The hacker also used an NFT vault platform called NFTX to identify BAYCs that had not been used to claim the airdrop, which they then exploited to claim APE tokens. Check Point said the attacker sold the APE tokens on the open market for $1.5 million.
A separate report from security firm CertiK said the hacker made a profit of around $800,000.
BAYC creator Yuga Labs did not create a snapshot, ie, a record of all BAYC holders, before the airdrop. This allowed people to buy BAYCs in real time to claim the airdrop.
Data from NFT price floor shows that BAYC’s price floor, ie the lowest price at which one can buy into the project, had surged by nearly 20% after the announcement of the airdrop. The price, along with BAYC sales, had continued to increase as the airdrop began, peaking at 105.91 ETH (USD 313,938).
ApeCoin marked large price swings in its trading debut. The token surged to as much as $40, before sinking down to $6 after the airdrop, and as it began trading on several major exchanges. At the time of writing, the token was trading at about $13.2, having lost 16% over the past 24 hours.
The token was revealed earlier this week. About 15% of total supply was distributed through the airdrop.