A brief analysis of APE airdrop vulnerability

On March 17, 2022, Beijing time, our system monitored suspicious transactions involving APE Coins. According to a report by Twitter user Will Sheehan, the arbitrage robot obtained more than 6W of APE Coins (worth $8 each) through flash loans. .

After analysis, we found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, APE Coin’s decision to airdrop depends on whether a user holds the instantaneous state of BYAC NFT, and this instantaneous state attacker can manipulate by borrowing a flash loan and then redeeming BYAC NFT. The attacker first borrows the BYAC Token through a flash loan, and then redeems the BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan. We think this model is very similar to price manipulation attacks based on flash loans (a contract price an asset through the instantaneous price of another asset, and this instantaneous price can be manipulated ).

Next, we use an attack transaction (https://versatile.blocksecteam.com/tx/eth/0xeb8c3bebed11e2e4fcd30cbfc2fb3c55c4ca166003c7f7d319e78eaab9747098) to briefly describe the whole process.

Step I: Attack Preparation

A brief analysis of APE airdrop vulnerability

The attacker purchased the BYAC NFT numbered 1060 and transferred it to the attacking contract. This NFT was purchased on the open market by the attacker for 106 ETH.

A brief analysis of APE airdrop vulnerability

Step II: Borrow a flash loan and redeem it into a BYAC NFT

A brief analysis of APE airdrop vulnerability

The attacker borrowed a large amount of BYAC Token through a flash loan. During this process, the attacker obtained 5 BYAC NFTs (numbered 7594, 8214, 9915, 8167, 4755) by redeeming the BYAC token.

Step III: Claim airdrop rewards through BYAC NFT

A brief analysis of APE airdrop vulnerability

In the process, the attacker used 6 NFTs to claim the airdrop. 1060 is its purchase, and the remaining 5 are acquired in the previous step. Through the airdrop, the attackers were rewarded with a total of 60,564 APE tokens.

A brief analysis of APE airdrop vulnerability

Step IV: mint BYAC NFT to get BYAC Token

A brief analysis of APE airdrop vulnerability

The attacker needs to return the loaned BYAC Token. So it will get BYAC NFT mint get BYAC Token. During this process, he also mint his own number 1060 NFT. This is because additional BYAC Tokens are required to pay for flash loan fees. Then sell the BYAC Token after paying off the handling fee to get 14 ETH.

A brief analysis of APE airdrop vulnerability

profit

The attacker obtained 60,564 APE tokens, worth $50W. The attack cost is 1060 NFT (106 ETH) minus 14 ETH from selling BYAC Token.

Lessons

We believe that the root of the problem is that the APE airdrop only considers the instantaneous state (whether the NFT is held by a certain user at a certain moment). And this assumption is very fragile and can be easily manipulated by attackers. If the attacker’s cost of manipulating the state is less than the reward obtained from the APE airdrop, then an actual attack opportunity is created.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/a-brief-analysis-of-ape-airdrop-vulnerability/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-03-18 09:22
Next 2022-03-18 09:23

Related articles