Web3 security company Boring Security announced the successful recovery of 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs.
The hacker returned the stolen NFT after receiving a payment of 120 ETH from Yuga Labs co-founder Greg Solano.
Stolen NFT has been recovered
The assets were stolen from P2P trading platform NFT Trader. The hack occurred on December 16 and hackers stole $3 million worth of NFTs. According to the published message, the hacker attributed the attack to another user, adding that they had come to pick up “leftover trash.” The hacker said in his message:
“I came to pick up the remaining trash. “If you want this NFT back, you have to pay me 120 ETH (…). Then we’ll send you the NFT. It’s as simple as that and I never lie. “Trust me (…).”
Boring Security, a blockchain security company, organized a community initiative to recover stolen assets. Boring Security is a non-profit security project funded by ApeCoin. The security company recovered the stolen NFT within 24 hours after paying a 120 ETH bounty, worth approximately $267,000 at the time. Announcing the recovery of X, the Boring Security team said:
“36 BAYC and 18 MAYC owned by the exploiter are now in our possession. We sent her (the hacker) 10% of the lowest price of her collection as her bounty.”
Bounty paid by Yuga Labs co-founder
The 120 ETH bounty was reportedly paid by Yuga Labs co-founder Greg Solano. Yuga Labs created both the NFT collections in question (Bored Ape Yacht Club and Mutant Ape Yacht Club) and played a key role in the negotiations to recover the stolen NFTs and return them to their rightful owners.
According to Foobar, the pseudonymous Delegate founder and developer, the vulnerability in question was introduced 11 days ago when a smart contract upgrade activated a vulnerability that facilitated misuse of the multi-call feature. This allowed unauthorized transfers of NFTs from their owners due to previously granted transaction rights. Foobar stated that if the permissions are not revoked, the NFTs could be stolen again.
The Complexities of Self-Custody
Boring Security acknowledges the complexity of self-bankruptcy in decentralized finance. The team said that while ETH developers have made significant progress in creating a user-friendly abstraction layer, digital asset management remains a complex problem.
“I’d like to give a huge shout-out to the team who worked overtime to work together this weekend to get these apes back to their rightful owners.”
Boring Security emphasized that despite future user interface improvements, it is important to understand the underlying processes and mechanisms of Web3. The security company, which has partnered with more than 80 NFT projects, emphasized the importance of championing a security culture at Web3 through free instructor-led training. The security company encouraged community leaders to contribute to the initiative by providing a whitelist for security-trained individuals. We also advocated for adopting technical primitives and training coordinators to be security champions and provide security modules as a prerequisite for community access.
Disclaimer: This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.