P2P platform NFT Trader breached, asks users to revoke approval
NFT Trader is suspected to have been breached after several blue-chip non-fungible tokens (NFTs) were wrongfully transferred.
According to an X post by Chinese crypto news reporter Colin Wu, the NFTs were transferred to the address 0x909F2159780e64143CF08f32dBBF56Ed19478fda.
Wu gave an update about the address holder’s on-chain message, denying they hacked the P2P trading platform, and claiming they rescued the NFTs to return them.
The holder, who identified themselves as a female “scavenger,” revealed the real hacker’s address as 0x3dc115307c7b79e9ff0afe4c1a0796c22e366a47b47ed2d82194bcd59bb4bd46
NFT Trader also announced it has suffered an attack on old smart contracts on X (formerly Twitter), asking users to remove delegations via Revoke.cash to the following addresses:
- 0xc310e760778ecbca4c65b6c559874757a4c4ece0
- 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
The P2P trading platform is fairly unknown by most NFT traders. its website shows its CEO is John Pak, working together with co-founders Mattia Migliore and an individual who goes by the pseudonym “Bruckzr.”
On X, an NFT collector (@dingalingts) urged traders to “revoke approval to their contract ASAP” if they’ve used NFT Trader before. They identified all the stolen digital assets, which amounted to more than $2 million, including 37 BAYC, 13 MAYC, 4 World of Women, and 6 VeeFriends.
For the hacker to return the NFTs, they sent some demands through their on-chain message, insisting owners need to pay them a bounty because “it is what they deserve,” asking for 10% of the NFTs’ values for their “work.”
Don’t ‘blindly send ETH‘
The crypto community is skeptical about the demands. Market analysts like ZachXBT are warning traders not to “blindly send their ETH.”
ZachXBT exchanged some words with the exploiter, questioning the integrity of their word to return the assets.
The analyst reckoned that if they were up to giving back the stolen assets, they should consider listing the Apes to the original wallet address or using a middleman for the process.
Esports platform Kungama founder Michael Padilla, famously known as TFG, was among the victims of the NFT Trade exploit.
TFG took to X to announce he has lost two of his most valued BAYC NFTs, revealing he used NFT trade about 1 and a half years ago and didn’t think he was at risk because he “removed it as a connected site.”
TFG acknowledged he didn’t take the necessary steps to shield his assets from the exploit, including revoking permissions on Etherscan.
According to Eden Block VC founder, who goes by the handle Lior.Eth on X, this is not the first time NFT Trader has been hacked, although there haven’t been any other incidents reported by the platform prior to today’s hack.
An X user dubbed bytes032.xyz, who describes themselves as a white glove smart contract security service provider, described the hack as “peak degeneracy.”
They shared a javascript report of NFTTrader’s exploited smart contract, which showcased how everyone was helpless in pausing the contract because the platform’s team didn’t expose the _pause function with public visibility.
The _pause function is used in a smart contract to halt all activity if something goes wrong. If the _pause function is not public, then only the original creator can stop the contract and prevent further loss of funds.
However, if the original creator is unaware of the problem or not available at the time, the hacker could potentially drain all the funds before anyone can stop them.
Nonetheless, there could be a light among the dark clouds seen by the victims of the NFT Trader hack, as BAYC’s founder Greg Solano has offered to pay 10% of the bounty the exploiter has asked for to see the NFTs have been returned to their rightful owners.
Hacker returns one NFT without bounty
In a remarkable twist, the exploiter has willingly given back a World of Women (WOW) NFT without charge, per Etherscan data. After returning the stolen WOW NFT, the hacker also returned a BAYC and a VFT to its rightful owners, without any further demand for payment.
This unexpected twist has added a sense of unpredictability to the ongoing saga, leaving the community both astonished and uncertain about the hacker’s motives.