Full Report
An NFT airdrop is how freshly minted NFTs go into multiple wallets at once. ApeCoin was distributing a large amount of NFTs to Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT owners. A Bored Ape owner had to invoke the claimTokens() function of the AirdropGraphsToken contract to claim their free ApeCoin. In order to verify if you deserved a token from the airdrop, the contract would validate the balanceOf() a particular user. Down the road, when the tokens were distributed, it was marked in a list who owned which ID. Free giveaways are complicated to do in the Defi world. This is because there are many ways for users to get into the game momentarily just to get the free token. Normally, the eligibility of a Airdrop is NOT determined by balanceOf calls. NFTX is a platform for creating liquid markets for illiquid Non-Fungible Tokens (NFTs). The vToken is how this is done. A user deposits their NFT into the vault and the protocol mints an ERC20 vToken in exchange. Since this platform is meant to increase the liquidness, it has aflash loan functionality for ERC721s. The function flashLoan allows a user to borrow an arbitrary amount of vToken, which is backed by the NFTs. When taking out a flash loan to get vTokens, a user can burn these vTokens to get a specified NFT. Additionally, the burning has a fee of 1.04 as well. Let's say that the BAYC NFTXVault has 10 apes as liquidity in it. An attacker can exploit this with the following steps: Flash loan to borrow the 10 BAYC vTokens. Burn the vToken to redeem the BAYC NFT from the vault. Claim the ApeCoins. Mint 10 BAYC vTokens from the newly AirDropped tokens. Pay about the 10 BAYC vTokens alongside the fee for performing the exchange. After running through all of these steps, we have gained ApeCoins for doing nothing. That's a pretty neat exploit! The attacker walked away with 14.15 ETH and 60,564 APE for about 350K. Novel functionality in the NFTX vault made this exploit possible.
Analysis Summary
# Vulnerability: Airdrop Eligibility Check Flaw Leading to Flash Loan Arbitrage Exploit
## CVE Details
- CVE ID: N/A (This appears to be a platform-specific logic flaw, not a standardized library vulnerability)
- CVSS Score: N/A
- CWE: CWE-843: Access of Object/Resource While Held or Allocated or CWE-840: Improper Initialization (Related to reliance on temporary state/balance checks)
## Affected Systems
- Products: AirdropGraphsToken contract (for ApeCoin distribution), NFTX BAYC NFTXVault contract.
- Versions: Unspecified. The vulnerability is based on the specific contract logic active during the ApeCoin airdrop period (March 17, 2022).
- Configurations: Any configuration relying on `balanceOf()` checks within the Airdrop contract for eligibility determination, paired with an NFTX vault supporting ERC721 flash loans and redemption/minting fee structures that allow for profit extraction.
## Vulnerability Description
The vulnerability stems from a critical design decision in the `AirdropGraphsToken.claimTokens()` function. Instead of utilizing a more secure method like Merkle Trees to prove non-custodial ownership, the contract determined eligibility by directly calling `alpha.balanceOf()` and `beta.balanceOf()` (for BAYC/MAYC ownership).
This allowed an attacker to temporarily gain control of the required NFTs by using the novel **ERC721 Flash Loan functionality** provided by NFTX. The exploit chain involved:
1. **Flash Loan:** Borrowing vTokens (backed by BAYC NFTs) from the NFTX vault.
2. **Redemption:** Burning the vTokens to temporarily withdraw the underlying BAYC NFTs from the vault.
3. **Claiming:** Calling `claimTokens()` on the AirdropGraphsToken contract using the temporarily acquired NFTs to claim free ApeCoin.
4. **Liquidation/Repayment:** Minting new vTokens using the claimed ApeCoins (or other means), repaying the flash loan plus fees, and retaining the profit from the ApeCoin distribution.
The specific fee structure of NFTX (a 1.04 fee per redemption) was integrated into the economic calculation, making the operation profitable if the value of the claimed tokens exceeded the borrowing/fee costs.
## Exploitation
- Status: **Exploited in the wild** (Reported as successfully executed moments after the airdrop launch).
- Complexity: Medium (Requires deep knowledge of both the Airdrop contract logic and the unique flash loan/redemption mechanics of the NFTX vault, plus calculating the profitable arbitrage window).
- Attack Vector: Network (Remote contract interaction).
## Impact
- Confidentiality: None (Public contract interaction)
- Integrity: Medium (Unauthorized assets/tokens were claimed based on temporary control)
- Availability: Low (Temporary locking/borrowing of underlying collateral NFTs)
*Note: The primary impact was financial gain for the attacker (~14.15 ETH and 60,564 APE).*
## Remediation
### Patches
- **Airdrop Contract Patch:** Update eligibility checking to use cryptographic proofs like Merkle Trees which verify ownership at a snapshot time, rather than relying on a live `balanceOf()` check that can be manipulated via temporary asset borrowing.
- **NFTX Vault Logic Review:** While the NFTX flash loan itself was operating as designed, the interaction between this feature and a real-time balance check in an external contract created the exploit vector. Future consideration on how redemption/minting fees are structured relative to external asset flows might be necessary.
### Workarounds
- For the initial airdrop, immediately suspending the claim functionality or switching to a non-balance-check-based verification method upon detecting suspicious transaction patterns.
- For NFTX: Temporarily restricting flash loan functionality for highly valuable or externally incentivized assets that could be used for temporary eligibility manipulation.
## Detection
- **Indicators of Compromise (IoCs):** Transactions involving rapid sequences of `flashLoan()`, NFT redemption (burning vTokens), followed immediately by calls to the specified Airdrop claim functions, and subsequent vToken minting and loan repayment.
- **Detection Methods and Tools:** Monitoring for complex, multi-step flash loan transactions targeting contracts that rely on current `balanceOf()` state *after* a significant token event has occurred. Security monitoring tools should flag Flash Loans executed in conjunction with token claim contracts.
## References
- Vendor advisories: N/A (This is a summary based on an analysis article)
- Relevant links:
- Analysis of the Exploit: hXXps://medium.com/amber-group/reproducing-the-ape-airdrop-flash-loan-arbitrage-exploit-93f79728fcf5