en
Back to the list

NFT Trader recovers stolen Bored Apes with $267k bounty payment

source-logo  crypto.news 18 December 2023 11:50, UTC

All stolen Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) nonfungible tokens (NFTs) from the NFT Trader platform have been recovered following a $267,000 bounty payment.

On Dec. 16, a security breach on the peer-to-peer platform NFT Trader led to the theft of NFTs worth nearly $3 million.

The attacker, in public messages, claimed to have capitalized on an exploit initially used by another user, demanding a ransom for the return of the stolen NFTs. They insisted on a payment of 120 Ether (ETH), equivalent to around $267,000 at the time, to return the NFTs.

Responding swiftly, Boring Security, a non-profit web3 security project funded by ApeCoin, spearheaded a community initiative that secured the return of all assets in under 24 hours after complying with the ransom demand.

All 36 BAYC and 18 MAYC that the exploiter had are now in our possession.

We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge.

Right after this coffee break…

Victims please…

— Boring Security (@BoringSecDAO) December 17, 2023

Boring Security, in a statement on X, confirmed the recovery of all 36 BAYC and 18 MAYC NFTs. The payment to the hacker amounted to 10% of the floor price of the collections, as agreed upon.

The bounty was paid by Greg Solano, co-founder of Yuga Labs. The company is the creator of both the NFTs collections and supported negotiations to recover the tokens and return them to their original owners for free.

You might also like: VC giant Tiger Global reportedly cut stakes in OpenSea and NFT collection BAYC

The breach was traced back to a vulnerability introduced by a smart contract upgrade 11 days prior. This upgrade enabled the misuse of a multicall feature, leading to unauthorized NFT transfers. The loophole was identified by “Foobar,” a pseudonymous founder and developer of Delegate, who also helped NFT Trader’s team halt the attack.

Following the incident, calls were made urging users to revoke permissions granted to two old contracts identified as potential security risks. The revoked approvals were essential to prevent possible future thefts of the NFTs.

Boring Security urges regular training against NFT hacks

Boring Security, acknowledging the complexity of self-custody in decentralized finance, emphasized the need to understand the mechanisms of web3. They highlighted the strides made by Ethereum developers in enhancing user-friendly interfaces but stressed the importance of being vigilant in managing digital assets.

As we finish up getting these apes back to their rightful owners, I just want to give a huge shoutout to the team for working overtime this weekend to come together on this. The DAO is comprised of dozens of individuals, and are all here to further the mission of web3 security…

— Boring Security (@BoringSecDAO) December 18, 2023

With over 80 partnerships in the NFT space, Boring Security has been advocating for a culture of security in web3. Their approach includes free, instructor-led training sessions. They also urged community leaders to adopt various measures to bolster security.

These measures include creating whitelists for security-educated individuals, integrating security modules into community access requirements, and training moderators in security protocols.

Additionally, Boring Security proposed incentives like hosting special Proof of Attendance Protocol (POAP) events and offering bonuses for completing security classes or activities to encourage participation in security education.

The firm called upon community leaders to collaborate in enhancing and safeguarding their communities, inviting them to share insights and seek guidance.

Read more: US agency identified Bitcoin inscriptions as cybersecurity risk
crypto.news