Unobvious risks. How not to lose APE coins in staking

ApeCoin tokens can be placed in staking to make extra earnings on NFTs from popular collections, but attackers exploit the conditions of pools and misappropriate image owners’ coins.

On Tuesday, December 6, Horizon Labs announced the launch of ApeCoin (APE) staking. Owners of coins and NFT images from the Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) collections can earn by staking in pools on the site, apestake.io, with rewards beginning to accrue on December 12. In the first 12 hours, more than $16 million in assets were recorded in the staking contract.

The site has four staking pools open for ApeCoin. The first is available to APE holders with no NFTs from collections, and the other three are distributed to BAYC, MAYC, and Bored Ape Kennel Club (BAKC) image owners, respectively. Each of the pools offers different staking terms for coins. For example, in the BAYC pool, 10 094 APE can be staked for each of their NFTs, while in the pool for MAYC, 2042 APE per image from the collection are available.

As of December 6, ApeCoin is trading at $4, according to CoinMarketCap. The APE price has risen by more than 50% since mid-November on expectations of the launch of staking. The volume of trading in images of related collections has also increased, but the overall negative trend in the NFT market continues.

Low stakes and new trends. What's going on in the NFT market

Access to the pools’ web interface is blocked for residents of the US, Russia, Iran, Cuba, and Syria. The blocking for the US has drawn criticism from the community because it is in the United States that a large portion of the NFT community is concentrated. Yuga Labs, the company behind the collections, launched a massive marketing campaign promoting BAYC through local first-tier celebrities, including TV host Jimmy Kimmel and rapper Snoop Dogg.

On the same day, the NFT platform of the Binance crypto exchange announced the launch of its own APE staking pool for owners of images from the BAYC and MAYC collections. It is logical to assume that other platforms will eventually follow suit.

The largest ApeCoin holder in staking is considered to be a collector under the nickname n0b0dy, who has placed about 170 000 APE in the staking pool. The address n0b0dy.eth lists 102 NFTs, including tokens from the most popular collections.

How APE are lost in staking

When ApeCoin coins are placed in a pool tied to a specific collection, the NFT image serves as a “key” to the coins in staking. When an NFT is sold, its owner unwittingly transfers all associated APE tokens sent to staking. At the time of publication, none of the known NFT marketplaces, including OpenSea, had issued warnings about the relevant risks to their users.

On the very first day, frauds with tokens in staking began on the part of those who figured out how to exploit the conditions of pools and took advantage of the technical ignorance of some BAYC image owners. Analytics company PeckShield addressed BAYC owners on its Twitter account, for emergency alerts, reminding them that when NFT is sold, the received APE tokens from the pool also go to the new owner.

In a series of tweets, PeckShield illustrated the actions of an anonymous user associated with an Ethereum address beginning with the characters “0x8237.” The one whom analysts call an “Exploiter/Arbitrageur” was at least twice able to capitalize on the ignorance of the terms of APE staking by the first users of pools.

The analysis of the transaction shows that the “exploiter” first borrowed 82 ETH on the decentralized exchange dYdX, with which it bought BAYC #6762 on the open market, probably knowing that its owner placed NFT in the staking pool. Upon receiving the NFT, the “exploiter” received 6 409 APE tokens of the former owner, which he instantly converted into 19,98 ETH on the decentralized exchange Uniswap. He then sold BAYC #6762 and used the proceeds of the coin sale to repay the initial loan on dYdX, keeping ETH he received from the APE token conversion as income.

Transaction chain in the Etherscan blockchain explorer

Source: Etherscan.io

PeckShield found at least one more transaction indicating that the same “exploiter” using exactly the same scheme “earned” an even larger amount in ETH on BAYC #1633.

This was pointed out by Jordan Cobie Fish, a well-known crypto influencer and UpOnly podcast host, who analyzed the APE staking mechanism in one of his newsletters back in April and warned about possible risks. “Lots of the decisions around the apecoin staking stuff is so weird and anti-user to me. Even with the feedback given well in advance, they just went “eh nah let’s ignore that wagmi” oh well,” Fish wrote on Twitter.

He also stressed that the lack of protection mechanisms against the exploitation of staking conditions can attract scammers and hackers because NFTs from sensational collections have often become a target for attackers.