Millions of dollars worth of non-fungible tokens (NFT) from flagship collections such as Bored Ape Yacht Club (BAYC), Mutant Ape Yacht Club (MAYC) and Cool Cats have been stolen due to a flaw in old NFT Trader smart contracts. What happened to make such an attack possible?
Millions of NFT dollars gone, most of them from BAYC
Yesterday, Saturday December 16, many owners of non-fungible tokens (NFTs) from blue chip collections had the unfortunate surprise of seeing their digital works evaporate from their wallets.
In all, 36 NFTs from the flagship Bored Ape Yacht Club (BAYC) collection and 18 NFTs from the derivative Mutant Ape Yacht Club collection were hijacked by the hacker, in addition to a few NFTs from the World of Women, VeeFriends, Cool Cats and Squiggle collections. Individuals holding Apecoins (APEs), the tokens linked to BAYC, also had them stolen.
What did the unfortunate victims of this major attack have in common? They had all granted authorization to at least one risky smart contract on the NFT Trader platform, which itself issued a statement confirming the breach later in the day:
We’ve suffered an attack on old smart contracts, please remove the delegation using https://t.co/zEMgkS96nP to the following addresses:
-0xc310e760778ecbca4c65b6c559874757a4c4ece0
-0x13d8faF4A690f5AE52E2D2C52938d1167057B9af– NFT Trader (@NftTrader) December 16, 2023
“We have suffered an attack on old smart contracts, please remove the delegation using Revoke.cash at the following addresses […]. “
Subsequently, the attacker transmitted a somewhat confusing on-chain message, stating that “the monkeys [understand BAYCs, Editor’s note] are safe, and they will eventually return to their user.” According to him, he first wanted to take advantage of a flaw initiated by another hacker, before realizing that he could siphon off many high-value NFTs.
“At first, as usual, I came here to collect residual waste. At first, I thought I could only get TOKENs, but I eventually discovered I could also get NFTs. I don’t know much about NFTs, but I’ve looked at the price of NFTs and I think there’s a lot of profit to be made from exploits. […] If you want the monkey’s NFT back, you have to pay me a premium, that’s what I deserve. 1 BAYC = 30 ETH 1 MAYC = 6 ETH. You must pay me 10% ETH for my work if you have a BAYC […] You must pay me 3 ETH if it’s a BAYC and 3.6 ETH if it’s a MAYC”.
Author of NFT
theft
NFTs finally returned to their owners
At first, the attacker seems to have decided to return some NFTs on his own, sometimes even with a certain amount in Ethers (ETH), as reported by an owner of a stolen BAYC on X, after recovering it:
And now the hacker just sent me 31 eth? What in the world is going on. Is this real life?
– Ricky Sanders (@RSandersDFS) December 16, 2023
“And now the hacker has just sent me 31 ETH? What’s going on? Is this for real? “
This morning, Boring Security, a volunteer group that works to share good security practices for NFT holders and sometimes conducts on-chain investigations, reported that the 36 BAYCs and 18 MAYCs had been returned to them in exchange for a premium of 10% of the floor price of the collections, and that the loot would be given back to the victims.
All 36 BAYC and 18 MAYC that the exploiter had are now in our possession.
We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge.
Right after this coffee break…
Victims please…
– Boring Security (@BoringSecDAO) December 17, 2023
For his part, the hacker transferred the funds paid to him to the cryptocurrency blender Tornado Cash in order to erase the on-chain traces.
Screenshot showing some of the transactions made by the hacker
Thanks to the efforts of 0xfoobar, 0xf4d3 and 0xqit, some NFTs were quickly recovered, and the latter managed to ensure that the flaw was corrected by deploying an on-chain patch following an agreement with NFT Trader.
A story that will therefore end on a positive note, although it highlights the dangers inherent in the permissions that can be granted to certain smart contracts, even though they are safe at first glance.
