P2P platform NFT Trader loses $3 million in assets due to an exploit

What’s new? On December 16, unknown people exploited old smart contracts of the P2P platform for trading non-fungible tokens, NFT Trader, and withdrew assets worth $3 million. After that, an anonymous user, who denied involvement in the hack, offered to return the tokens for a reward of 10% of their value. The assets were bought by the decentralized autonomous organization (DAO) Boring Security, which promised to return NFTs to the owners for free.

What else is known? The NFT Trader team explained that malicious code was injected into two of the platform’s older smart contracts. It recommended that for security purposes, always use Revoke Cash or similar tools to revoke permissions for wallets to interact with smart contracts after making deals.

The developers assured that they have “implemented all necessary measures to prevent any such incidents in the future,” and the platform itself is secure. In addition, for more than a year, NFT Trader has been using OpenSea’s NFT marketplace protocol for exchanging ERC-721 and ERC-1155 standard tokens called Seaport, which enhances its security.

Source: Twitter.com

According to Revoke Cash experts, NFT Trader’s losses amounted to about $3 million, and the stolen assets belong to the collections authored by Yuga Labs: Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC). These are some of the most well-known and expensive collections in the crypto space, with the minimum price for the tokens as of December 18 being 26 ETH ($56 230) and 5,1 ETH ($11 000) for BAYC and MAYC, respectively, according to aggregator CoinGecko.

Source: Twitter.com

After the hack, an unknown user contacted NFT Trader and offered to return all tokens for 10% of their minimum value. At the time, it amounted to 30 ETH for BAYC and 6 ETH for MAYC. He also provided the hacker’s address and stated that he was not his accomplice.

Source: Twitter.com

The user was rewarded by DAO Boring Security, receiving 36 BAYC and 18 MAYC. At the exchange rate at the time, the ransom amount exceeded $268 000. Members of the organization urged those affected to leave requests for asset recovery in the project’s Discord channel and to “be patient.” The assets will be returned to the owners at no cost.