Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An NFT airdrop is how freshly minted NFTs go into multiple wallets at once. ApeCoin was distributing a large amount of NFTs to Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT owners.

A Bored Ape owner had to invoke the claimTokens() function of the AirdropGraphsToken contract to claim their free ApeCoin. In order to verify if you deserved a token from the airdrop, the contract would validate the balanceOf() a particular user. Down the road, when the tokens were distributed, it was marked in a list who owned which ID.

Free giveaways are complicated to do in the Defi world. This is because there are many ways for users to get into the game momentarily just to get the free token. Normally, the eligibility of a Airdrop is NOT determined by balanceOf calls.

NFTX is a platform for creating liquid markets for illiquid Non-Fungible Tokens (NFTs). The vToken is how this is done. A user deposits their NFT into the vault and the protocol mints an ERC20 vToken in exchange. Since this platform is meant to increase the liquidness, it has aflash loan functionality for ERC721s. The function flashLoan allows a user to borrow an arbitrary amount of vToken, which is backed by the NFTs.

When taking out a flash loan to get vTokens, a user can burn these vTokens to get a specified NFT. Additionally, the burning has a fee of 1.04 as well.

Let's say that the BAYC NFTXVault has 10 apes as liquidity in it. An attacker can exploit this with the following steps:

1. Flash loan to borrow the 10 BAYC vTokens.
2. Burn the vToken to redeem the BAYC NFT from the vault.
3. Claim the ApeCoins.
4. Mint 10 BAYC vTokens from the newly AirDropped tokens.
5. Pay about the 10 BAYC vTokens alongside the fee for performing the exchange.

After running through all of these steps, we have gained ApeCoins for doing nothing. That's a pretty neat exploit! The attacker walked away with 14.15 ETH and 60,564 APE for about 350K. Novel functionality in the NFTX vault made this exploit possible.