Hacks Rock NFT Space: $4.5M in Apes, Pudgies, & More Stolen

Hacks are an inevitable part of new technological spaces, where nefarious individuals attempt to take advantage of weak points in systems for financial gain. So far, the NFT has been mostly spared — although there have been common scams like drainer links and seed phrase compromises happening at least since 2021.

The relative security came to an end this weekend. In two separate hacks, $4.5 million worth of non-fungible tokens were stolen, including over 50 Bored Apes, a dozen Mutant Apes, some Gold Pudgy Penguins, and tokens from World of Women, VeeFriends, and other top collections. The drama unfolded on-chain and on X, as hackers moved from theft to ransom.

Fortunately, at least in one case, a hero emerged.

This is the story of the NFT Trader and Flooring Protocol hacks. Welcome to Web3.

NFT Trader Hack: An Exploited Smart Contract

At 6 a.m. on Saturday, December 16th, well-known NFT collector “dingaling” posted a message on X, sounding an alarm. With 162 thousand followers, there was no doubt his post would catch attention. Still, he started it off with four “red alarm” emojis and the words “RED ALERT.”

NFT Trader was under attack. The platform, known for facilitating trades of non-fungible tokens between parties, had been used frequently during the last bull run, before other, safer methods were designed in the bear. It appeared, based on the message, that someone had found a loophole.

What dingaling had alerted the community about was called a “reentrancy attack” according to Cygaar. In Solidity (the programming language of Ethereum), a reentrancy attack is when someone exploits a faulty smart contract and reroutes funds to another smart contract. It is commonly used to drain decentralized organized and blockchain protocols of money.

In this case, the targeted smart contract was NFT Trader’s. Using a combination of a self-swap, an “editCounterPart” function, and old approvals from wallet owners, hackers were able to transfer prized non-fungible tokens directly out of holders’ wallets into their own. Within hours, at least 36 Bored Apes, 18 Mutant Apes, and many more NFTs were transferred from holders to hackers.

It was something of a free for all. The black hats were winning in a landslide.

Solidity Experts Stop the Bleeding

Around 8:30am, as more and more hackers were piling into the exploit, stealing thousands of dollars’ worth of NFTs in the process, a white hat emerged: a 16-year-old named Fade who calls themselves a “checker of chain (amongst other things).”

They noticed that each stolen NFT relied on the sending of ETH, and they proposed that NFT Trader change the Vault address to a contract whose fallback reverts. Foobar, a well-known name and developer in the space, implemented the solution, posted the new contract on Etherscan, and tagged NFT Trader.

Within minutes, the exploit had been stopped and no more NFTs were being drained from wallets. But in the midst of the attack, a hacker who had stolen 36 Apes and 18 Mutants started their demands, posting an unusual message directly on the blockchain. The focus would change from halting the theft to recovering the lost items.

A Blockchain Message from a Hacker with ‘Limited Technical Skills’

While there were many hackers who took advantage of the NFT Trader exploit, one stood out: the hacker that stole the Apes and Mutants, along with some other high-profile (and valuable) NFTs. At 7:30 am, one hour after dingaling’s initial post, blockchain sleuth ZachXBT found a message from the hacker on Etherscan. They were demanding ransom.

The hacker, who claimed they had limited technical skills (one X user remarked that this was the definition of a ‘humble brag’) wanted 10% of the floor price for each asset returned. Because the floor price for Bored Apes was 30 ETH at the time and for Mutants 6 ETH, the hacker wanted 3 ETH per Ape returned and 0.6 ETH per Mutant.

They provided addresses where interested individuals could send the ETH, which, after received, would result in the hacker sending the NFTs back. In good faith, of course.

Quickly, leaders in the space implored former holders not to send ETH. It could be a situation of a hacker “double-dipping” or receiving twice the money for a crime, a common practice in cybersecurity ransom situations.

Fortunately, all ended well.

Greg Solano, known as Garga and co-founder of the Bored Ape Yacht Club, announced on X that he would pay 120 ETH or $260,000 at the time of this writing for the safe return of all Bored Ape and Mutant NFTs. And so it was done. The hacker transferred the NFTs to Boring Security DAO (a DAO made from the Apecoin organization), and everything was settling by midnight:

However, in the middle of the action, another exploit had been found and more NFTs were stolen.

Hacker Gains $1.6M from NFTs Stolen from Flooring Protocol

At 7 pm that same day, Foobar spotted another hack unfolding. This one involved Flooring Protocol, a liquidity platform for NFTs that involves fractionalizing non-fungible tokens into a tradeable, fungible token. Like the NFT Trader hack, this one involved the use of approvals from wallets. However, this time, the multicall function was the problem.

The hacker (there appears to have just been one) managed to steal 690 ETH worth of NFTs, including three dozen Pudgy Penguins and 15 Bored Apes. Quickly, everything was dumped into Blur bids. All told, the hacker made away with $1.5 million, leaving a trail of wreckage in their wake.

According to Foobar, the root cause of this hack was a bad upgrade 11 days before that left a vulnerability in the code. Fortunately, it was patched up rapidly and further damage was prevented.

In the end, it was another wild weekend in Web3 — in this case, not the good kind. As many remarked, these problems will spell difficulty for any “normie” looking to enter the space, as having assets worth $60,000 stolen through no fault of your own is enough to turn anyone off.

Without the remarkable efforts of Fade, Foobar, Solano, and others, the damage could have been much more significant. Hats off to them and everyone who contributed. Although two organizations failed in their security practices, the community rose to the challenge and prevented further disaster.

In case you missed it: