In a remarkable turnaround, all stolen Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) nonfungible tokens (NFTs) have been recovered following a major security breach on the peer-to-peer trading platform NFT Trader. The incident on December 16 resulted in the theft of NFTs valued at nearly $3 million. However, thanks to the swift action of Boring Security, a non-profit Web3 security project backed by ApeCoin, these digital assets were secured within 24 hours.
The recovery operation involved a bounty payment of 120 Ether (ETH), equivalent to approximately $267,000 at the time of the transaction. Greg Solano, co-founder of Yuga Labs and creator of BAYC and MAYC NFT collections, spearheaded this strategic move. His involvement was crucial in the negotiation process, ultimately leading to the return of the NFTs to their rightful owners at no additional cost.
NFT trader hack exposes smart contract flaws
The attack was linked to a vulnerability in a smart contract, which had been updated 11 days before the incident. This upgrade inadvertently introduced a flaw related to a multicall feature, allowing unauthorized transfers of NFTs. The hacker, leveraging previously granted trading permissions, executed the theft. The vulnerability was pinpointed by “Foobar,” a pseudonymous founder and developer of Delegate, who played a vital role in assisting the Non-Fungible Tokens Trader’s team to halt the attack swiftly after its discovery.
In response to this security breach, there have been urgent calls for users to revoke all permissions granted to two specific old contracts identified as potential risks. These contracts, listed as 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af, pose a continued threat. If approvals are not revoked, the stolen NFTs could be compromised again.
This incident has shed light on the persistent vulnerabilities within the NFT space and the need for heightened security measures. The successful recovery of the stolen assets underscores the importance of rapid response and effective crisis management in the digital asset domain. Moreover, it highlights the collaborative efforts between various entities within the Non-Fungible Tokens ecosystem, from developers to platform owners and community initiatives, in safeguarding assets and maintaining trust.
The incident serves as a wake-up call for the Non-Fungible Tokens community to prioritize security and remain vigilant against potential exploits. It also stresses the need for continuous monitoring and updating of smart contracts to prevent similar occurrences in the future. As the NFT market continues to evolve, ensuring the security of digital assets remains a top priority for creators and investors alike.