Bounty Paid to Retrieve $3 Million in Stolen NFTs: BAYC, MAYC Tokens Safely Returned in High-Stakes Web3 Heist Resolution
Crypto News – In a dramatic turn of events, the entire collection of Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) non-fungible tokens (NFTs), valued at nearly $3 million, has been successfully retrieved following a significant bounty payment. These prized digital assets were originally compromised in a hack on NFT Trader, a peer-to-peer trading platform, on December 16th.
The hacker, whose identity remains unknown, claimed to have simply capitalized on a vulnerability initially exploited by someone else. In a message laden with bravado, they demanded a ransom for the return of the NFTs, stating, “If you want these NFTs back then you need to pay me 120 ETH…I never lie, believe me.”
Responding to this cyber heist, Boring Security, a non-profit Web3 security initiative funded by ApeCoin, orchestrated a swift and effective recovery operation. Within a mere 24 hours, they managed to secure all the stolen assets by paying a bounty of 120 Ether (ETH), approximately $267,000 at the time.
The Boring Security team announced, “All 36 BAYC and 18 MAYC NFTs held by the exploiter are now in our possession. We have offered the hacker 10% of the floor price of these collections as a bounty.” This update was shared on X, the platform formerly known as Twitter.
Greg Solano, the co-founder of Yuga Labs — the originator of both NFT collections — played a pivotal role in this saga. He personally financed the bounty, supporting the negotiation efforts to not only recover the stolen tokens but also to ensure their return to the rightful owners at no cost.
This incident has shed light on a critical security lapse in the NFT domain. According to Foobar, the pseudonymous founder and developer of Delegate, the vulnerability was introduced 11 days prior, following a smart contract update. This change inadvertently enabled the misuse of a multicall feature, leading to unauthorized transfers of NFTs due to pre-existing trading permissions.
In the wake of this breach, there has been a community-wide call for users to revoke permissions granted to two outdated contracts, identified as 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af. Failure to do so could potentially lead to a repeat of such thefts. Foobar was instrumental in assisting the NFT Trader team in halting the attack shortly after it was detected, showcasing the resilience and rapid response of the NFT community in the face of adversity.
2 Comments