NFT Heist: Community Bounty Recovers Stolen BAYC and MAYC Assets

The hacker blamed another user and demanded ransom, but Boring Security, backed by ApeCoin, recovered the assets within 24 hours.

NFT Heist: Community Bounty Recovers Stolen BAYC, MAYC Assets
NFT Heist: Community Bounty Recovers Stolen BAYC, MAYC Assets

Following the receipt of a reward payment, all of the nonfungible tokens (NFTs) belonging to the Bored Ape Yacht Club (BAYC) and the Mutant Ape Yacht Club (MAYC) that were taken from the peer-to-peer trading platform NFT Trader have been returned.

On December 16th, the hack resulted in the theft of NFTs worth approximately $3 million. According to emails that were made public, the attacker placed the blame for the initial vulnerability on another user.

They wrote, “I came here to pick up residual garbage,” and demanded ransom money in order to restore the NFTs without any further delay. “If you want these NFTs back, then you need to pay me 120 ETH, and then I will send you the NFTs; it’s as simple as that, and I never lie; believe me,” reads one of the messages. “I never lie; believe me.”

A community initiative led by Boring Security, a non-profit Web3 security project financed by ApeCoin, recovered all of the assets in less than twenty-four hours after paying the 120 Ether (ETH) bounty, which was around $267,000 at the time of this writing.

We have now taken custody of all 36 BAYC and 18 MAYC that were in the possession of the exploiter. As a type of reward, we offered her (the hacker) ten percent of the floor price of the collected,” the Boring Security team stated on X (which was then known as Twitter).

Greg Solano, who was also a co-founder of Yuga Labs, was the one who paid the bounty. In addition to being the originator of the NFTs collected, the company was also involved in the discussions that were conducted to reclaim the tokens and give them back to their rightful owners at no cost.

Foobar, a pseudonymous founder and developer of Delegate, introduced the vulnerability eleven days ago when upgrading a smart contract, which allowed for the misuse of a multicall feature. Trading permissions granted in the past allowed for unauthorized transfers of non-fungible tokens (NFTs) from their rightful owners.

Users requested the revocation of all rights granted to two outdated contracts, 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af, due to the problem.

If the approvals are not rescinded, Foobar warned that the NFTs could be stolen again. The developer assisted the team working for NFT Trader in their efforts to halt the attack shortly after its discovery.