On December 16, a vulnerability in two smart contracts of the NFT Trader platform resulted in some users losing their assets. According to the Revoke.cash, the total losses are estimated at $3 million, most of which are NFTs from the Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) collections.
However, the hacker got in touch the same day. On December 17, after receiving a reward of 120 ETH (about $268,000), they returned the NFTs to Boring Security, a non-profit web3 security education DAO. Boring Security has begun returning NFTs to their previous owners.
What is NFT Trader
NFT Trader is a peer-to-peer NFT trading platform with advanced social functionality. Users can post ads to buy specific NFTs or securely exchange them on the Ethereum and Optimism blockchains.
NFT Trader largely runs on the Seaport protocol developed by NFT marketplace OpenSea but also has its own smart contracts for some operations.
Smart contracts are programmes operating on the blockchain. They allow users to perform complex operations within the network, such as securely exchanging funds (unlike the alternate transfer of funds from address to address, where one party can cheat the other). Before interacting with any smart contract, users must give it approval to change the balance of their address.
However, like any program, smart contracts can have vulnerabilities, be malicious, and steal funds from approved addresses.
How did the NFT Trader get hacked
As reported by NFT Trader on December 16, an attacker exploited two old smart contracts, stealing NFTs. For the safety of unaffected users, it was recommended to revoke approvals from these smart contracts through services like Revoke.Cash.
According to Revoke.Cash, the stolen NFTs were valued at $3 million. Almost all of them are from the popular BAYC and MAYC collections, 36 and 18 NFTs, respectively.
NFT Traderβs negotiating with the hacker
On the same day, December 16, the hacker got in touch via messages in transactions to their own Ethereum address. The following became known:
π©βπ» The hacker is "a good, kind kid and a beautiful girl". Usually, hackers prefer not to reveal their gender or other identifying information;
π ββοΈ She is not the first to find the vulnerability. In her messages, she left an address that had used a similar exploit before, but she decided to transfer the NFTs to her address so that the real attacker would not do so;
π She also expressed her willingness to return the NFTs to their previous owners for 10% of their floor price. So, returning one NFT from the BAYC collection would cost 3 ETH (about $6,700), and returning one from MAYC would cost 0.6 ETH (about $1,340).
Read about how public messages can be sent in Ethereum transactions in our article on the August Curve hack. In that case, the scammer was also negotiating with the protocol.
How BAYC and MAYC NFTs were recovered
On December 17, Boring Security DAO contacted the hacker. Through public correspondence, it was revealed that, for 120 ETH (about $268,000), the exploiter agreed to return all NFTs from the BAYC and MAYC collections. This amount is 1.2 ETH more than the individual owners would have given in total.
In the end, the funds were provided through the Boring Security DAO by Greg Solano, co-founder of Yuga Labs, which owns the rights to MAYC, BAYC, CryptoPunks, Meebits and other major NFT collections.
On the same day, the hacker returned all the stolen NFTs to Boring Security DAO, which in turn began returning them to their previous owners.
All in all, there was a happy ending, which is not really common after-hacks in DeFi. To be on the safe side, it is worth revoking the approvals of smart contracts and protocols you rarely use. That way, in case of a vulnerability, your funds will be safe. For other tips, read our article: Crypto scam: how to protect yourself.
πYou might also like:
How to create an NFT: a step-by-step guide
Bored Ape NFT creators win $1.6M in trademark infringement case
