In a significant breach of the peer-to-peer trading platform NFT Trader, hackers targeted “old smart contracts,” resulting in the theft of millions of dollars in high-value NFTs. The stolen assets include rare Bored Ape and Mutant Ape Yacht Club tokens, World of Women NFTs, VeeFriends, Art Blocks, and more. NFT Trader confirmed the attack in a post, acknowledging the compromise of old smart contracts and advising users to revoke any permissions granted to these contracts in the past. A user, foobar, suggested that the attacks concluded after NFT Trader updated its smart contracts to address a reentrancy vulnerability.
The primary attacker, who attributed the NFT exploit to another user, posted a public message on the blockchain, justifying the attack as an effort to “pick up residual garbage.” The attacker offered to return tokens to victims upon receiving a ransom of 3 ETH per Bored Ape and 0.6 ETH per Mutant Ape. The attacker’s actions include refunding one Bored Ape along with 31 ETH to a user and returning certain staked Bored Apes to their owners, while retaining the ApeCoin rewards.
Additionally, auxiliary hacks have been reported, involving the drainage of tokens such as Cool Cats and Squiggles from users’ wallets. Despite these developments, NFT Trader has not responded to The Block’s request for comment.