Easy. All the sting operation has to do is make it clear to the seller what the "buyer" "intends" to do with the bug. It doesn't even have to be overt: they could simply say "we are looking to pay $10,000 for a bug that would enable us to download all the private photographs from Justin Bieber's Facebook account".
This only applies to the US, as the laws are probably difference elsewhere. The CFAA[1] is a very vague and broad law that aims to stop people from accessing systems, sending malicious data, etc. It is intentionally written in such a way to be forgiving to the victim since security is hard by default [citation needed]. So even if you found an exploit without using it yourself, you'll probably be charged with aiding and abetting or something similar.
If you exchange money for an exploit that you know will be used to commit a specific crime, you are an accessory to that crime. The CFAA doesn't have much to do with it.
Selling exploits in general is not that legally risky†. Prosecutors have to prove mens rea at trial, beyond a reasonable doubt. People sell bugs to anonymous marketplaces all the time.
The question isn't whether selling Facebook bugs to the black market is itself illegal. It's whether the DOJ could set up a sting to capitalize on the greed of people who would do that. Yes, they could.
† It's not not legally risky, either, especially in the case of bugs like these, where you've been given permission to attack Facebook's servers only in conjunction with their bounty program --- your civil liability to a website that doesn't run a bounty, if you sold a bug you found in their site and it was used in some way to harm them, could be astronomical.
On what basis could law enforcement act undercover to trap sellers?