An NFT trader platform called NFT Trader was hacked, resulting in the theft of $3 million worth of Bored Ape Yacht Club and Mutant Ape Yacht Club NFTs. The hacker exploited a vulnerability introduced by a recent smart contract upgrade, which allowed unauthorized transfers of the NFTs.
The hacker publicly demanded a ransom of 120 Ether (worth around $267,000) to return the stolen NFTs. A non-profit web3 security organization called Boring Security spearheaded a community effort to pay this ransom and recover the NFTs within 24 hours.
The ransom was paid by Greg Solano, co-founder of Yuga Labs which created the Bored Ape NFTs. This allowed all 36 stolen Bored Ape and 18 Mutant Ape NFTs to be returned to their original owners free of charge.
The vulnerability was originally identified by a developer named “Foobar” who helped the NFT Trader team halt the attack. Users have since been urged to revoke permissions to old contracts that posed security risks to prevent potential future thefts.
In response, Boring Security highlighted the need for better security understanding in web3 and NFT custody. They advocate for more education and training around NFT hacking threats. Boring Security also called on NFT community leaders to adopt various security measures like creating whitelists of security-trained members. Their goal is to promote a “culture of security” in the NFT space through collaboration.
