Crypto Community Unites: The Stolen NFTs Now Returned After Ransom
In the ever-evolving world of cryptocurrency and nonfungible tokens (NFTs), a captivating story has recently unfolded, highlighting both the vulnerability and resilience of the digital art ecosystem. Surprisingly, stolen NFTs from the Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) have been returned, thanks to a heartfelt bounty payment.
The Great NFT Heist
On the 16th of December, the digital art community was shaken when a hacker made off with NFTs valued at nearly $3 million from the peer-to-peer trading platform NFT Trader. A bold demand for a ransom compounded the audacity of the heist: 120 Ether (ETH), equivalent to approximately $267,000 at the time, was demanded in exchange for the safe return of the pilfered NFTs.
The hacker claimed innocence in public messages, attributing the original exploit to another user. “I came here to pick up residual garbage,” they wrote, claiming the ill-gotten NFTs and insisting on the bounty as a prerequisite for their return. It was a high-stakes digital standoff with the entire crypto world on edge.
A Community Rises to the Occasion
Amid the uncertainty and apprehension, a community-driven initiative spearheaded by Boring Security, a non-profit Web3 security project funded by ApeCoin, emerged as the beacon of hope. In an astonishing display of solidarity, the community rallied to recover the stolen assets in less than 24 hours after the hacker’s demand was made public.
“All 36 BAYC and 18 MAYC that the exploiter had are now in our possession. We sent her [the hacker] 10% of the floor price of the collections as bounty,” announced the triumphant Boring Security team on social media platform X (previously known as Twitter).
The pivotal moment of redemption came when Greg Solano, co-founder of Yuga Labs, stepped in to pay the bounty. Yuga Labs, the creator of both the BAYC and MAYC NFT collections, played a pivotal role in supporting negotiations to retrieve the tokens and return them to their rightful owners free of charge.
The Vulnerability Unveiled
Behind this story of redemption lies a sobering lesson in digital security. The vulnerability exploited by the hacker was traced back to a smart contract upgrade that occurred just 11 days prior. This upgrade unwittingly enabled the misuse of a multicall feature, facilitating unauthorised transfers of NFTs from their legitimate owners due to previously granted trading permissions.
The incident sent shockwaves throughout the NFT community, prompting urgent calls to revoke all permissions granted to two old contracts: 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af. Failing to revoke these permissions, warned “Foobar,” the pseudonymous founder and developer of Delegate, could expose NFTs to further theft.
In the end, it was the collaborative efforts of the NFT Trader’s team, with assistance from Foobar, that halted the attack shortly after its discovery, preventing further losses within the digital art community.
A Tale of Redemption
This tale of stolen NFTs and their triumphant return serves as a reminder of the enduring spirit of the NFT community. It underscores the importance of vigilance in the ever-evolving landscape of digital assets and smart contracts. While the world of NFTs may be steeped in the virtual, the resilience and generosity of individuals like Greg Solano and the dedicated community behind Boring Security bring a distinctly human touch to this digital frontier, proving that, even in cryptocurrency, redemption is possible.