Table of Contents
- Stolen NFTs Recovered
- Bounty Paid By Yuga Labs Co-Founder
- Complexity Of Self Custody
A Web3 security firm, Boring Security, has announced that it has successfully recovered 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs.
The hacker returned the stolen NFTs after receiving a payment of 120 ETH from Yuga Labs co-founder Greg Solano.
Stolen NFTs Recovered
The assets were stolen from the peer-to-peer trading platform NFT Trader. The hack occurred on the 16th of December, with the hacker stealing $3 million worth of NFTs. According to available public messages, the hacker attributed the exploit to another user, adding that they had come to pick up “residual garbage.” The hacker stated in their message,
“I came here to pick up residual garbage. “If you want these NFTs back, then you need to pay me 120 ETH […], and then I will send you the NFTs; it’s as simple as that, and I never lie, believe me […].”
Blockchain security firm Boring Security organized a community initiative to recover the stolen assets. Boring Security is a non-profit security project funded by ApeCoin. The security firm recovered the stolen NFTs within 24 hours after paying a 120 ETH bounty worth around $267,000 at the time. The Boring Security team announced the recovery on X, stating,
“All 36 BAYC and 18 MAYC that the exploiter had are now in our possession. We sent her [the hacker] 10% of the floor price of the collections as bounty.”
Bounty Paid By Yuga Labs Co-Founder
The 120 ETH bounty was reportedly paid by the co-founder of Yuga Labs, Greg Solano. Yuga Labs is the creator of both NFT collections in question (Bored Ape Yacht Club and Mutant Ape Yacht Club) and played a crucial role during the negotiations to recover the stolen NFTs and return them to their rightful owners.
According to the pseudo-anonymous founder and developer of Delegate, Foobar, the vulnerability in question was introduced 11 days ago when a smart contract upgrade enabled a vulnerability that facilitated the misuse of a multicall feature. This allowed the unauthorized transfers of NFTs from their owners due to trading permissions granted previously. Foobar stated that the NFTs could be stolen again if the permissions were not revoked.
Complexity Of Self Custody
Boring Security acknowledged the complexity of self-bustody in decentralized finance. The team stated that while ETH developers have made considerable progress in creating user-friendly abstraction layers, managing digital assets remains a complex problem.
“As we finish up getting these apes back to their rightful owners, I just want to give a huge shoutout to the team for working overtime this weekend to come together on this.”
Boring Security stressed the importance of understanding the underlying processes and mechanisms of Web3 despite upcoming improvements in user interfaces. The security firm, which has partnered with over 80 NFT projects, also stressed the importance of advocating a culture of security in Web3 with the help of free, instructor-led training. The security firm encouraged community leaders to contribute to this initiative by providing whitelists for security-educated individuals. It also advocated for adopting technical primitives and training moderators to be security champions, and offering security modules as prerequisites for community access.
