Millions of dollars worth of non-fungible tokens (NFTs) from flagship collections such as Bored Ape Yacht Club (BAYC), Mutant Ape Yacht Club (MAYC) and even Cool Cats were stolen due to a bug in old smart contracts from NFT Trader. What happened to cause such an attack?
Several million dollars of NFTs left, most of them from BAYC
Yesterday, Saturday, December 16, many non-fungible token (NFT) holders from blue chip collections had an unfortunate surprise that their digital works disappeared from their portfolio.
total, The hacker stole 36 NFTs from the flagship Bored Ape Yacht Club (BAYC) and 18 NFTs from the derivative collection Mutant Ape Yacht Club., in addition to some NFTs from the World of Women, VeeFriends, Cool Cats or Squiggle collections. Additionally, individuals holding Apecoins (APE), tokens associated with BAYC, were also stolen.
total, the amount originally stolen was around $3 million.
👉 To learn more – How to assess the potential of an NFT collection?
What did the unfortunate victims of this great attack have in common? They all had permission to do so at least one smart contract is at risk from the NFT Trader platform, which itself published a press release earlier in the day confirming the bug :
🚨🚨We have detected an attack on old smart contracts, please remove delegation using https://t.co/zEMgkS96nP to the following addresses:
-0xc310e760778ecbca4c65b6c559874757a4c4ece0
-0x13d8faF4A690f5AE52E2D2C52938d1167057B9af— NFT Trader (@NftTrader) December 16, 2023
“We have suffered an attack on old smart contracts, please remove the delegation with help Revoke.cash at the following addresses (…). »
Subsequently, the attacker sent a somewhat confusing on-chain message stating that “ the monkeys (understand BAYC, editor’s note) are safe and will eventually return to their user. “. According to him, first he would like to exploit a vulnerability initiated by another hackerbefore he realized that he could siphon off many high-value NFTs.
“ First, I came here as usual to collect the residual waste. At first I thought I could only get TOKENs, but I finally found out I could get NFTs too. I don’t know much about NFT but I was looking at the price of NFT and I think there is a lot of money to be made with exploits. (…) If you want to get NFT monkey, you have to pay me a premium, I deserve it. 1 BAYC = 30 ETH 1 MAYC = 6 ETH. You have to pay me 10% ETH for my work if you have BAYC (…) You have to pay me 3 ETH if it’s BAYC and 3.6 ETH if it’s MAYC »
Sorare: the most popular fantasy football game
NFTs have finally returned to their owners
At first it appears that the attacker did decided to flip some NFTs himselfsometimes even with a certain amount in Ether (ETH), as the owner of the BAYC stolen on X stated after he recovered it:
And now the hacker just sent me 31 eth? What in the world is going on. Is this real life?
— Ricky Sanders (@RSandersDFS) December 16, 2023
“And now the hacker just sent me 31 ETH? What’s happening ? Is it reality? »
This morning, Boring Security, a volunteer group that works to share security best practices for NFT holders and sometimes conducts on-chain investigations, said that 36 BAYC and 18 MAYC were returned to them in exchange for a premium of 10% of the minimum collection priceand that the loot would be returned to the victims.
All 36 BAYCs and 18 MAYCs that the exploiter had are now in our possession.
We send her 10% of the minimum collection price as a reward. We will work with affected victims to return them free of charge.
Right after the coffee break…
Victims please…
— Boring Security (@BoringSecDAO) December 17, 2023
A hacker on his part he transferred the funds he was paid to the Tornado Cash cryptocurrency mixer in order to erase traces on the chain.
A screenshot showing some of the transactions made by the hacker
Also note that thanks to the efforts of 0xfoobar, 0xf4d3, and 0xqit, some NFTs were quickly recovered and managed to ensure that the bug is fixed by deploying an on-chain patch in agreement with NFT Trader.
So a story that ends on a positive note, even if it does highlights the dangers associated with the permissions that can be granted to certain smart contractsyet safe at first glance.
Arkham: a tool that makes the blockchain completely transparent
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This site may contain investment-related assets, products or services. Some links in this article may be affiliate. This means that if you purchase a product or register on a site from this article, our partner will pay us a commission. This allows us to continue to offer you original and useful content. Nothing will happen to you and you can even get a bonus using our links.
Investing in cryptocurrencies is risky. Cryptoast is not responsible for the quality of the products or services presented on this site and cannot be held responsible, directly or indirectly, for any damages or losses incurred after using the goods or services highlighted in this article. Investments related to cryptoassets are inherently risky, readers should do their own research before taking any action and invest only within their financial means. This article does not constitute investment advice.
recommendations of the AMF. There is no guaranteed high return, a product with high return potential involves high risk. This risk taking must be consistent with your project, your investment horizon and your ability to lose some of these savings. Do not invest unless you are prepared to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notice pages.
Passionate about the world of decentralized finance and the new developments that Web 3.0 brings, I write articles for Cryptoast that help make blockchain more accessible to everyone. Convinced that cryptocurrencies will change the future very soon.
Maximilien Prue
1038 items