NFT Trader is suspected to have been breached after several blue-chip non-fungible tokens (NFTs) were wrongfully transferred.
According to an X post by Chinese crypto news reporter Colin Wu, the NFTs were transferred to the address 0x909F2159780e64143CF08f32dBBF56Ed19478fda.
đ¨đ¨đ¨đ¨ RED ALERT
â dingaling (@dingalingts) December 16, 2023
If you've ever used NFT Trader in the past, revoke approval to their contract ASAP (0x13d8faF4A690f5AE52E2D2C52938d1167057B9af)
So far already 37 BAYC and 13 MAYC have already been drained to this address https://t.co/KBdpkb8woX
Wu gave an update about the address holderâs on-chain message, denying they hacked the P2P trading platform, and claiming they rescued the NFTs to return them.
The holder, who identified themselves as a female âscavenger,â revealed the real hackerâs address as 0x3dc115307c7b79e9ff0afe4c1a0796c22e366a47b47ed2d82194bcd59bb4bd46
0x90âŚ8fda sent a message on the chain to deny that he was a hacker. He said that he had rescued these NFT assets and would return them, but required the original holders to pay him a 10% bounty; and the real hacker was 0x3dc. ..bd46. https://t.co/3cXW7ibmcA
â Wu Blockchain (@WuBlockchain) December 16, 2023
NFT Trader also announced it has suffered an attack on old smart contracts on X (formerly Twitter), asking users to remove delegations via Revoke.cash to the following addresses:
- 0xc310e760778ecbca4c65b6c559874757a4c4ece0
- 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
The P2P trading platform is fairly unknown by most NFT traders. its website shows its CEO is John Pak, working together with co-founders Mattia Migliore and an individual who goes by the pseudonym âBruckzr.â
đ¨đ¨We've suffered an attack on old smart contracts, please remove the delegation using https://t.co/zEMgkS96nP to the following addresses:
â NFT Trader (@NftTrader) December 16, 2023
-0xc310e760778ecbca4c65b6c559874757a4c4ece0
-0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
On X, an NFT collector (@dingalingts) urged traders to ârevoke approval to their contract ASAPâ if theyâve used NFT Trader before. They identified all the stolen digital assets, which amounted to more than $2 million, including 37 BAYC, 13 MAYC, 4 World of Women, and 6 VeeFriends.
You might also like: US court sides with Yuga Labs, agrees RC BAYC are copycats
For the hacker to return the NFTs, they sent some demands through their on-chain message, insisting owners need to pay them a bounty because âit is what they deserve,â asking for 10% of the NFTsâ values for their âwork.â
Donât âblindly send ETHâ
The crypto community is skeptical about the demands. Market analysts like ZachXBT are warning traders not to âblindly send their ETH.â
ZachXBT exchanged some words with the exploiter, questioning the integrity of their word to return the assets.
The analyst reckoned that if they were up to giving back the stolen assets, they should consider listing the Apes to the original wallet address or using a middleman for the process.
Amazing things are happening for the monkey nft people
â davis đşđŚ (@basedkarbon) December 16, 2023
NFT Trader exploiter and ZachXBT exchange words pic.twitter.com/FAL0GgnvAt
Esports platform Kungama founder Michael Padilla, famously known as TFG, was among the victims of the NFT Trade exploit.
TFG took to X to announce he has lost two of his most valued BAYC NFTs, revealing he used NFT trade about 1 and a half years ago and didnât think he was at risk because he âremoved it as a connected site.â
TFG acknowledged he didnât take the necessary steps to shield his assets from the exploit, including revoking permissions on Etherscan.
Just got drained for my two favorite NFTs @BoredApeYC
â TFG (@TFGmykL) December 16, 2023
Was drained cause I used NFTtrader as a trading platform 1.5 years ago.
I assumed I wasnât at risk because I removed it as a connected site, but that isnât the full steps. Needed to revoke on etherscan
GGđŁ pic.twitter.com/6MbK7Kwgp3
According to Eden Block VC founder, who goes by the handle Lior.Eth on X, this is not the first time NFT Trader has been hacked, although there havenât been any other incidents reported by the platform prior to todayâs hack.
An X user dubbed bytes032.xyz, who describes themselves as a white glove smart contract security service provider, described the hack as âpeak degeneracy.â
They shared a javascript report of NFTTraderâs exploited smart contract, which showcased how everyone was helpless in pausing the contract because the platformâs team didnât expose the _pause function with public visibility.
â NFTTrader getting hacked
â @bytes032.xyz (@bytes032) December 16, 2023
â contract is pausable so they can pause if getting hacked
â team cannot pause the contract because they forgot to expose the _pause function with a public visibility
this is peak degeneracy pic.twitter.com/Q2SvTXcSEJ
The _pause function is used in a smart contract to halt all activity if something goes wrong. If the _pause function is not public, then only the original creator can stop the contract and prevent further loss of funds.
However, if the original creator is unaware of the problem or not available at the time, the hacker could potentially drain all the funds before anyone can stop them.
Nonetheless, there could be a light among the dark clouds seen by the victims of the NFT Trader hack, as BAYCâs founder Greg Solano has offered to pay 10% of the bounty the exploiter has asked for to see the NFTs have been returned to their rightful owners.
And if the info below is real, I will gladly put up the ETH to see these 50 apes back to their rightful owners. https://t.co/7jBwQHQRCj
â Garga.eth (Greg Solano) (@CryptoGarga) December 16, 2023
Hacker returns one NFT without bounty
In a remarkable twist, the exploiter has willingly given back a World of Women (WOW) NFT without charge, per Etherscan data. After returning the stolen WOW NFT, the hacker also returned a BAYC and a VFT to its rightful owners, without any further demand for payment.
Two more apes sent home to from the @NftTrader exploiter. pic.twitter.com/M5GdhEoHUl
â Xeer (@Xeer) December 16, 2023
This unexpected twist has added a sense of unpredictability to the ongoing saga, leaving the community both astonished and uncertain about the hackerâs motives.
Read more: BAYC NFT floor price drops 90% from $600,000 in 18 months