Stolen nonfungible tokens (NFTs) from NFT Trader, a peer-to-peer trading platform, have been successfully recovered. The incident, which occurred on December 16, involved the theft of Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFTs valued at nearly $3 million.
However, following the theft, a 120 Ether bounty was offered to the hacker. After the bounty payment was made, the stolen NFTs were returned to their rightful owner.
Initially, the hacker attributed the exploit to another user. Subsequently, they demanded a ransom of 120 ETH, approximately $267,000, for the safe return of the stolen NFTs. In public messages, the attacker insisted on the payment, stating, “If you want these NFT’s back, then you need to pay me 120 ETH… and then I will send you the NFT’s.”
NFT Trader Stolen NFTs Recovered by Boring Security with Yuga Labs’ Support
In a rapid community initiative, Boring Security, a non-profit Web3 security project funded by ApeCoin, took the lead. Within 24 hours of paying the bounty, the initiative successfully recovered all 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs.
Additionally, the Boring Security team disclosed, “All 36 BAYC and 18 MAYC that the exploiter had are now in our possession. We sent her [the hacker] 10% of the floor price of the collections as bounty.”
The bounty payment was facilitated by Greg Solano, co-founder of Yuga Labs, the creator of the NFT collections. Yuga Labs actively supported negotiations to recover the tokens and return them to their rightful owners at no cost.
Vulnerability Addressed and Community Collaboration
According to “Foobar,” the pseudonymous founder of Delegate, the vulnerability stemmed from a smart contract upgrade introduced 11 days prior. This upgrade inadvertently opened the door for the misuse of a multicall feature. Consequently, unauthorized transfers of NFTs occurred, exploiting trading permissions that had been granted previously.
In response to the incident, calls were made for users to revoke all permissions granted to two old contracts, namely 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af. Foobar, aiding NFT Trader’s team in stopping the attack, stressed revoking permissions to prevent future thefts.
This collaborative effort emphasizes the NFT community’s resilience in promptly addressing security breaches. It also underscores the importance of proactive measures to safeguard digital assets.
Read More:
SEC Rejects Coinbase Plea for Tailored Crypto Regulations
SaitaChain Successfully Completes STC Token Migration to BNB Chain