In the world of investing, there are people who take advantage of market volatility and those who rather invest in less risky assets like Bonds and Treasury Bills. There are also investors who we like to term as “smart opportunist” who take advantage of events to seek financial reward. This investor fit into this category as his foresight was able to net over a million dollars in earnings, all in one transaction.
Yuga Labs, the creators of Bored Ape Yacht Club (BAYC), airdropped ApeCoin (APE) to anyone who owns one of their NFTs. The team allocated 150 million tokens or 15% of the total ApeCoin supply to holders of Bored Ape Yacht Club and Mutant Ape Yacht Club collections, amounting to a staggering value of more than $800 million. Each BAYC holder got 10,094 tokens, which is currently valued at $116,383.82 using the current market price of $11.53 per token.
An unknown investor was able to find a way to claim the airdrop, using NFTs that they did not initially own. They took advantage of the specific way the airdrop works to carry it out. And it was a very effective move that netted them $1.1 million in ApeCoin.
How did it happen?
- The trick was that the ApeCoin airdrop was not handed out based on a snapshot of who owned which Bored Ape at a specific time in the past. Instead, it was claimable by anyone who owns a Bored Ape at the point of claiming the airdrop.
- So, if you gave someone your Bored Ape and you hadn’t already claimed the tokens, they would be able to claim your tokens.
- This meant all the person had to do was get a hold of some Bored Apes that hadn’t had their tokens claimed — and they would only need to be in possession of these Apes for a brief moment to claim the airdrop. In fact, they could be handed back straight away, which the investor did.
- For this manoeuvre, the person started by finding a vault that contained five Bored Ape NFTs, which hadn’t been used to claim the airdrop. A vault is a way to tokenize an NFT or a set of NFTs.
- What happens is you take a group of NFTs, put them in the vault and you create a token. This token can then be staked to earn token rewards, or it can be sold (representing part of the value of the collection of NFTs). Anyone who owns enough of the tokens can redeem them for the underlying NFTs.
- This vault was created on a protocol called NFTX. It contained five Bored Apes: #7594, #8214, #9915, #8167, and #4755 worth about 500 ETH ($1.4 million) based on the current floor price. Since the NFTs were locked up in the vault and not controlled by any one party, nobody had used them to claim the airdrop.
- The person wanted to unlock the NFTs to use them to claim the airdrop, but they didn’t want to buy them outright, something that would be expensive to do. So to get through this huddle, the investor used a flash loan, a tool commonly used for large DeFi hacks, to carry out this plan.
- Flash loans are a way to borrow large amounts of crypto at low cost, on the basis that the crypto is repaid in the same transaction in the same block (meaning that the funds are never at risk of not being repaid).
- In this case, they bought a Bored Ape on NFT marketplace OpenSea for under $300,000 and used it as collateral to take out the flash loan. The flash loan was then used to purchase a large amount of the vault’s token, letting them redeem the five NFTs.
- The NFTs were then used to claim the airdrop, all in this one, complex transaction, before all of them were then returned, the tokens sold back and the loan repaid.
- In this process, they managed to claim an airdrop of 60,564 ApeCoin. They then sold these tokens on the decentralized exchange Uniswap for 399 ETH ($1.1 million). After, they sold back the original Bored Ape NFT that was used as collateral to the same NFTX vault.
Even though many social media commentators, including myself, hailed the incident as an innovative arbitrage trade, however, security firm BlockSecTeam disagreed. It has labelled this as an attack that exploited an issue in the airdrop-claiming mechanism.
BlockSecTeam told The Block that based on its analysis, the user likely took advantage of a “vulnerability” in yesterday’s airdrop event. They stated, “We think it’s an attack as the airdrop mechanism has a vulnerability. The airdrop claim depended on the spot state, whether a user held the NFT at that time of claim and the attacker exploited this vulnerability to profit.”
One way this could have been avoided is if the airdrop had taken into account how long a person owned the NFT before the reward could be claimed.