Hdr_About.jpg

Detail Analysis

link.png

Date:

Status:

Count:

Contributor:

March 18, 2022

info.png

Verified

1

zerofriction.io

Loss Amount:

820,000

info.png

Recovered Amount:

-

Currency:

Dollars, ETH

KYC By:

Audit By:

None

None

info.png

Website:

No data

Twitter:

No data

Discord:

No data

Telegram:

No data

Medium:

No data

Github:

No data

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Ethereum

Token

Assets

Flash Loans

Extended Method:

Logic error, Input validation does non consider how long the caller own the NFTs

Data Sources:

info.png

An exploiter claimed a large amount of the APECOIN in the airdrop event by flashloan using $BYAC tokens to redeem for #BAYC NFTs.

1. The attacker bought NFT No.1060 from OpenSea, which was later used as the flash loan fee to flash loan 5.2 BAYC tokens from the "NFTX Vault"
2. Then used the BAYC tokens borrowed in step 1 to redeem BAYC NFTs (NFT token ID: 7594, 8214, 9915, 8167, 4755)
3. Then claimed 60,564 ApeCoin tokens as a reward in the Airdrop contract and sold the majority of $APE on the market to #ETH.
4. Minted BAYC NFTs to BAYC tokens to pay back the flash loan and fees.

Contracts Vulnerability Analysis:
The getClaimableTokenAmountAndGammaToClaim() function in the AirdropGrapesToken contract to calculate the amount of ApeCoin to claim based on how many NFT the caller has doesn't consider how long the caller owns those NFTs.

info.png

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.