On December 16, an attacker successfully hacked the NFT Trader platform and managed to steal collectible tokens worth approximately $3 million. However, in a surprising twist, the hacker left a message expressing their willingness to return the stolen assets if a reward of 120 ETH (equivalent to $267,000) was provided.
Fortunately, thanks to Boring Security, a non-profit project financially backed by ApeCoin, the thief was able to receive the specified amount and returned all of the tokens from the BAYC and MAYC collections within a 24-hour period. The reward was paid by Greg Solano, co-founder of Yuga Labs, the creator of the popular “bored monkeys” collections. Solano was instrumental in facilitating the negotiations to successfully retrieve and return the stolen tokens to their rightful owners.
“All 36 BAYC and 18 MAYC tokens that were in the possession of the attacker are now safely in our custody. As a token of appreciation, we sent the hacker 10% of the minimum value of the collections,” stated the Boring Security team on the X social network.
The developer, who goes by the pseudonym Foobar, disclosed that the vulnerability was discovered 11 days after a smart contract update, which unintentionally allowed for the abuse of the multiple request feature, enabling unauthorized transfers of NFTs on behalf of their true owners due to pre-approved trading permissions.
Foobar strongly urged all users to revoke any permissions granted to two previous contracts, namely 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af, in order to prevent future instances of NFT theft.
It is worth noting that in early December, a Parisian court deemed hackers who compromised the decentralized finance service Platypus and stole $8.5 million as “ethical” since they agreed to return the stolen assets in exchange for a reward.