NFT Trader Contract Compromise Leads to Millions in NFTs Drained
In the second major hack this week, a pair of old contracts for trading site NFT Trader was compromised this morning (Dec. 16), leading to hacker stealing a number of high-value Bored Apes and other older valuable NFTs, including Art Blocks, World of Women, and VeeFriends.
Although delegate.cash founder 0xfoobar, working along with a 16-year-old coder, has managed to pinpoint the faulty code in NFT Trader’s exploited contracts and assist them in removing the exploits, users are exhorted to revoke any allowances linked to these contracts—listed in this post by NFT Trader. This can be done on revoke.cash—which is now fully safe to use again after a widespread exploit of a Ledger Connect library was resolved on Dec. 14.
“Users should go to Revoke.Cash and immediately search to see if they have approvals for the NFTTrader contracts, if so revoke ASAP. They are vulnerable if they have an approval and they must revoke–which is not a disconnect from site but an on-chain revoke—before the hacker withdraws their asset,” a cybersecurity engineer and Wallet Guard ambassador told nft now.
🚨🚨We've suffered an attack on old smart contracts, please remove the delegation using https://t.co/zEMgkS96nP to the following addresses:
— NFT Trader (@NftTrader) December 16, 2023
-0xc310e760778ecbca4c65b6c559874757a4c4ece0
-0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
NFT Trader is a swapping site that was popularly used in 2021 for direct trades, and the contracts that have been exploited are not the current ones used for trading.
A number of rare and high-value Bored Apes and Mutants have been stolen from holders. “Millions of dollars of NFTs were stolen. I’ve never seen anything of this size. Some of the absolute top apes—a few worth $300k+—were taken. It appears to have hit people who did trades on NFT Trader in the past and still had permissions on the given wallets. This means mainly BAYC, MAYC, WoW and older high value assets. Blur, x2y2, OpenSea swap are now the common vehicles for swaps,” wrote analyst Sam Gellman.
An individual claiming to be the hacker has been communicating with security researcher ZachXBT via onchain chat. “Hello, everyone. I’m a scavenger. First of all, monkeys are safe, and in the end, they come back to the user,” the individual wrote.
“At first, as usual, I came here to pick up residual garbage. At first I thought I could only get tokens, but eventually I found out that I could also get NFTs. I don’t know much about NFTs, but I looked up the price of NFTs, and I think there’s a lot of profit to be made from exploits. I don’t know if the person who started it didn’t realize it, or if he’s continuing to prepare for an exploit, so I’m going to follow it up. I’m a good person, the value of these NFTs is enough for a person to live a free life, but I don’t care about that. I prefer to pick up the leftover trash,” the “scavenger” continued.
The hacker has offered to return stolen NFTs for a fee—and has indeed returned some Apes and the proceeds of Apes that have already been sold to some affected holders—even if they have not paid.
1) What
— ZachXBT (@zachxbt) December 16, 2023
0xc2f91dbab46531732908a317290e18297670d0bb02bb66f94aa883ec448d9391 pic.twitter.com/6rfblXq4Lj
Users who have lost assets are strongly cautioned to not send any money to the hacker, because of the risk that it’s a “honeypot”—individuals could send money and get their tokens back, but that is no guarantee that the thief will continue to honor this agreement, and they could run off with the tokens as well as the ETH paid for recovery at any time.
Even though the exploit is reported as having been resolved, in cases like these it’s important for users to revoke approvals to these two contracts even if they don’t currently have any tokens (whether NFTs, wrapped ETH or ERC-20 tokens like ApeCoin) in the wallet with the active approvals, because if they subsequently put an NFT or ERC-20 into a wallet with approval still open after the fact, it could be stolen—even weeks later.
Revoking an allowance is not the same thing as simply disconnecting your wallet from a dApp, said Wallet Guard partnership director and cybersecurity specialist MichaelK.eth. “Disconnecting you wallet from a website and revoking an on-chain approval are 2 completely separate actions. It is important to remember that when you are giving an on-chain approval to a contract, that contract has the ability to interface with your assets indefinitely, until you revoke the approval.,” he told us.
Waking up to the news and the hacker’s offer, Yuga Labs co-founder Greg Solano has committed to cover ransoms to the scavenger—if the offer is legitimate. “Just woke up to see this heartbreaking NFT trader exploit. If you’ve ever used the platform, please revoke all approvals asap. And if the info below is real, I will gladly put up the ETH to see these 50 apes back to their rightful owners,” posted Solano, referencing the hacker’s on-chain conversation with ZachXBT.
After revoking, how can users stay safe going forward? One good suggestion is the “Three Address Protocol” advocated by BoringSecDAO, in which users maintain a vault wallet that never connects to any contract or dApp, but is only used to hold and transfer assets in and out. In this protocol, BoringSecDAO suggests the use of another wallet for interacting with trusted contracts and marketplaces, and a third burner wallet used for interacting with untrusted websites.
It’s also advisable to install security browser plugins for desktop such as Wallet Guard, Pocket Universe or Revoke’s own plugin. These tools simulate the transaction you’re about to do before you sign, giving a warning if it poses a risk.