The hacker responsible for the theft of $3 million worth of NFTs from the peer-to-peer trading platform NFT Trader has returned the assets.

The successful recovery followed a unique negotiation where the hacker demanded a payment of 120 ETH (approximately $267,000) in exchange for returning the stolen NFTs.

‍

Hacker's Demands and Payment

The hack occurred on December 16, with the hacker, through public messages, attributing the exploit to another user. 

Blockchain security firm Boring Security played a crucial role in recovering the stolen NFTs. A community initiative organized by the non-profit security project, funded by ApeCoin, successfully retrieved the assets within 24 hours.

The Boring Security team announced the successful recovery on X, stating that all 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs that the exploiter had are now in their possession. 

Greg Solano, co-founder of Yuga Labs, paid the 120 ETH bounty, representing 10% of the floor price of the collections, as part of the recovery effort. Yuga Labs, the creator of the NFT collections, actively supported the negotiations to ensure the safe return of the tokens.

‍

Root Cause of the Exploit

According to "Foobar," the pseudonymous founder and developer of Delegate, the vulnerability leading to the exploit was introduced 11 days prior. A smart contract upgrade allowed the misuse of a multicall feature, enabling unauthorized transfers of NFTs due to previously granted trading permissions.

The incident prompted calls from the developer for users to revoke all permissions granted to two old contracts (0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af) to prevent potential future attacks. The developer, along with NFT Trader's team, acted swiftly to stop the attack and assist in securing the platform.