The hacker responsible for the theft of $3 million worth of NFTs from the peer-to-peer trading platform NFT Trader has returned the assets following successful negotiations. This incident, which occurred on December 16, highlighted vulnerabilities in the platform’s security.
Swift recovery through community initiative
The recovery process was spearheaded by the Boring Security DAO, a blockchain security firm that played a pivotal role in retrieving the stolen NFTs within an impressive 24-hour timeframe. The hacker, identified through public messages, demanded a payment of 120 ETH (approximately $267,000) for the safe return of the stolen NFTs.
Yuga Labs, the creator of the Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT collections, actively supported the negotiations. Greg Solano, co-founder of Yuga Labs, contributed by paying the 120 ETH bounty, representing 10% of the floor price of the collections. This cooperative effort ensured the recovery of all 36 BAYC and 18 MAYC NFTs initially exploited.
All 36 BAYC and 18 MAYC that the exploiter had are now in our possession.
— Boring Security (@BoringSecDAO) December 17, 2023
We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge.
Right after this coffee break…
Victims please…
Understanding the exploit: Vulnerability in platform’s security
According to “Foobar,” the pseudonymous founder and developer of Delegate, the vulnerability leading to the exploit was introduced 11 days before the hack. A smart contract upgrade allowed the misuse of a multicall feature, enabling unauthorized transfers of NFTs due to previously granted trading permissions.
In response, Foobar issued a call for users to revoke all permissions granted to two old contracts (0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af). This preventative measure aims to mitigate the risk of potential future attacks. The developer and NFT Trader’s team acted swiftly to halt the ongoing attack and secure the platform.
The hacker, described as having limited technical skills but asserting they were “a good person,” outlined their demands for compensation. The negotiation involved specific payment terms, with the hacker detailing a percentage-based compensation structure for each type of NFT. Yuga Labs co-founder Greg Solano ultimately paid the bounty, facilitating the return of the stolen tokens to their rightful owners.
Yuga Labs not only contributed to the financial aspect of the recovery but also actively participated in negotiations to ensure the safe return of the tokens. The creator’s involvement demonstrates a commitment to the security and integrity of their NFT collections, providing a sense of reassurance to the affected community.