NFT Trader recovers stolen Bored Apes with $267k bounty payment

All stolen Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) nonfungible tokens (NFTs) from the NFT Trader platform have been recovered following a $267,000 bounty payment.

On Dec. 16, a security breach on the peer-to-peer platform NFT Trader led to the theft of NFTs worth nearly $3 million.

The attacker, in public messages, claimed to have capitalized on an exploit initially used by another user, demanding a ransom for the return of the stolen NFTs. They insisted on a payment of 120 Ether (ETH), equivalent to around $267,000 at the time, to return the NFTs.

Responding swiftly, Boring Security, a non-profit web3 security project funded by ApeCoin, spearheaded a community initiative that secured the return of all assets in under 24 hours after complying with the ransom demand.

Boring Security, in a statement on X, confirmed the recovery of all 36 BAYC and 18 MAYC NFTs. The payment to the hacker amounted to 10% of the floor price of the collections, as agreed upon.

The bounty was paid by Greg Solano, co-founder of Yuga Labs. The company is the creator of both the NFTs collections and supported negotiations to recover the tokens and return them to their original owners for free.

The breach was traced back to a vulnerability introduced by a smart contract upgrade 11 days prior. This upgrade enabled the misuse of a multicall feature, leading to unauthorized NFT transfers. The loophole was identified by “Foobar,” a pseudonymous founder and developer of Delegate, who also helped NFT Trader’s team halt the attack.

Following the incident, calls were made urging users to revoke permissions granted to two old contracts identified as potential security risks. The revoked approvals were essential to prevent possible future thefts of the NFTs.

Boring Security urges regular training against NFT hacks

Boring Security, acknowledging the complexity of self-custody in decentralized finance, emphasized the need to understand the mechanisms of web3. They highlighted the strides made by Ethereum developers in enhancing user-friendly interfaces but stressed the importance of being vigilant in managing digital assets.

With over 80 partnerships in the NFT space, Boring Security has been advocating for a culture of security in web3. Their approach includes free, instructor-led training sessions. They also urged community leaders to adopt ious measures to bolster security.

These measures include creating whitelists for security-educated individuals, integrating security modules into community access requirements, and training moderators in security protocols.

Additionally, Boring Security proposed incentives like hosting special Proof of Attendance Protocol (POAP) events and offering bonuses for completing security classes or activities to encourage participation in security education.

The firm called upon community leaders to collaborate in enhancing and safeguarding their communities, inviting them to share insights and seek guidance.