1. Home
  2. NFT exploit

NFT exploit

Nifty News: Trader nabs 800 ETH by baiting a bot, NFT thefts slow and more

A trader walked off nearly $1.5 million richer after tricking a bot copying his trades to buy a slew of NFTs at a markup.

NFT trader's $1.5M bot chess move

YouTuber and nonfungible token (NFT) trader Hanwe Chang said he scored 800 Ether (ETH), around $1.5 million, by tricking a rival trader’s bot into buying his own inflated NFTs.

In an Aug. 5 X (Twitter) post, Chang said he noticed a bot was copying his bids on the NFT marketplace Blur and decided to trick them.

An NFT-focused account A Raving Ape speculated that from a separate, anonymous wallet Chang purchased multiple Azuki NFTs sharing the same background color.

Knowing bots were copying his trades, Chang placed an inflated bid on the NFTs held in his anonymous wallet from his publicly-known hanwe.eth wallet.

Once a bot automatically copied the inflated bid, Chang accepted it from his anonymous wallet and was able to palm off the NFTs at a significant markup.

Seemingly, the owner of the bot known as elizab.eth responded to Chang’s post claiming the funds were stolen and offered to discuss a 10% bounty if the funds were returned.

Chang’s on-chain move triggered discussion over its legality.

Lawyer Gabriel Shapiro said he thinks elizab.eth “might have good legal claims” to get their ETH back from Chang’s trick — but only if they hire a skilled litigation attorney.

NFT volumes nearly halves over July

NFT volumes have continued to slide in the ongoing bear market, having sank by almost half over July.

Figures from NFT data aggregator CryptoSlam show U.S. dollar sales volume decreased nearly 42% over July with the month starting off with $22 million in daily volume before sinking to $12.8 million on July 31.

Weekly NFT sales with black line depicting U.S. dollar sales volume. Source: Cryptoslam!

July’s drop comes after a significant rally in late June where daily sales volumes peaked at nearly $58.5 million on June 27, the largest trading day since March 16’s $61.9 million figure.

Royalties from NFTs are also biting creators. A July 25 report from Nansen said out of the 699,816 ETH in royalties paid to NFT projects, just 9.4% of the figure was in the first half of 2023.

Nansen said the effective fee rate for royalties has seen a significant downtrend — average royalties in 2022 were 2.5% which as of July 2023 had dropped to 0.6%, a 98% drop.

Slow month for NFT thefts

On the other hand, NFT-related thefts have seen their slowest month in 2023.

Figures by blockchain security firm PeckShield shared on Aug. 6 show around $1.7 million worth of NFTs were stolen in July. The figure marks a 31% decrease from June.

PeckShield said half of the stolen NFTs were sold within less than three hours, or 165 minutes, on marketplaces such as Blur and OpenSea after being nabbed.

Blur had the highest amount of stolen NFTs sold, with over 67% while OpenSea had just under 20% sold through its platform, PeckShield claimed.

Just over $41.5 million worth of NFTs have been stolen in 2023 up until the end of July. February was the biggest month for NFT thieves, where they stole $16.2 million worth of tokens.

Gary Vee’s NFT project also steps into sneaker trend

VeeFriend’s, the NFT project by entrepreneur and internet talking head Gary Vaynerchuck has joined the latest craze of NFT-related sneakers.

On Aug. 4 VeeFriend’s announced its partnered with Reebok to launch a limited edition sneaker only available to those holding an alpaca-related NFT as part of the collection.

The shoe looks like any other aside from a few changes. The tongue of the shoe depicts the original handdrawn version of VeeFriend’s alpaca NFT and the NFT project’s logo appears in place of Reebok’s.

Related: NFT gas usage shows downward trend, signals shift in landscape

It’s the third sneaker-NFT project in recent weeks. In late June Dior put up a new line of sneakers that offered an NFT replica and NFT’s came embedded in Puma’s recent sneaker collection.

Other Nifty News

The Federal Bureau of Investigation (FBI) has finally caught on that criminals are hijacking social media accounts and posing as legit NFT and crypto space figures, posting a warning of the trend on Aug. 4.

NFT protocol JPEG’d confirmed 5,495 ETH worth about $10 million was returned by the Curve Finance hacker, who received a bounty of 610.6 ETH, or $1.1 million.

Magazine: 6 Questions for Simon Davis of Mighty Bear Games

El Salvador buys 11 BTC only a day after reaching a deal with IMF

OpenSea patches vulnerability that potentially exposed users’ identities

Cybersecurity firm Imperva found a vulnerability that could be used to leak user information such as email addresses and phone numbers, which has now been patched.

Nonfungible token marketplace OpenSea has reportedly patched a vulnerability that, if exploited, could have exposed identifying information about its anonymous users. 

In a March 9 blog post blog, cybersecurity firm Imperva detailed how it discovered the vulnerability, which it claimed could deanonymize OpenSea users “by linking an IP address, a browser session, or an email in certain conditions” to an NFT.

As the NFT corresponds to a cryptocurrency wallet address, a user’s real identity could be revealed from the information gathered and linked to the wallet and its activity, Imperva explained.

The exploit is understood to have taken advantage of a cross-site search vulnerability. Imperva claimed OpenSea had misconfigured a library that resizes webpage elements that load HTML content from elsewhere that are typically used to place ads, interactive content, or embedded videos.

As OpenSea didn’t restrict this library’s communications, exploiters could use the information it broadcasts as an “oracle” to narrow down when searches return no results as the webpage would be smaller.

Imperva detailed that an attacker would send their target a link through email or SMS, which if clicked “reveals valuable information, such as the target’s IP address, user agent, device details, and software versions.”

Screenshot of OpenSea's front page. Source: OpenSea

The attacker would then use OpenSea’s vulnerability to extract the NFT names of their target and associate the corresponding wallet address with identifying information such as an email or phone number which was sent the original link.

Imperva said OpenSea “quickly addressed the issue” and properly restricted the library’s communications, reporting that the platform “was no longer at risk of such attacks.”

Related: Security team creates dashboard to detect potential NFT hacks in OpenSea

Users of the platform have long been victims of attacks that mimic OpenSea’s functions to undertake exploits, such as phishing websites that resemble the platform or signature requests appearing to originate from OpenSea.

OpenSea itself has faced criticism for its platform security due to a major phishing attack in February 2022 that resulted in over $1.7 million worth of NFTs being stolen from users.

As for the recent patch, it’s unknown how long it existed or if any users had been affected by the exploit.

OpenSea did not immediately respond to Cointelegraph’s request for comment.

El Salvador buys 11 BTC only a day after reaching a deal with IMF

AkuDreams dev team locks up $33M due to smart contract bug

A highly anticipated NFT project has been hit with an exploit and a smart contract bug, causing a disruption to its auction and leaving the team with $33 million unable to be accessed.

The highly anticipated NFT project Akutars was marred by both an exploit and a bug on the weekend causing over 11,500 Ethereum (ETH) worth nearly $33 million to be locked forever within a smart contract, inaccessible even to the development team.

The exploit however, was conducted by someone trying to show a vulnerability in the project and not to steal funds via a hack.

The project went live on Friday April 22 with a Dutch Auction, a type of auction where the price lowers until it receives a bid, with the first bid winning the sale as long as the price is above reserve.

The auction opened at 3.5 Ethereum with only 5,495 of the available 15,000 NFTs up for sale and the smart contract set to refund any bidders who were underbid. Holders of an “Aku Mint Pass” were also given a 0.5 Ethereum discount on each minted NFT.

The $33M Bug

In a April 23 Twitter thread explaining the whopping $33 million bug, 0xInuarashi, a developer of multiple NFT projects explained Akutars' smart contract was coded so that refunds to bidders had to be processed first before the team could withdraw any funds.

The contract had a caveat that a minimum number of bids had to be made before it would allow for the team to withdraw, but the minimum number of bids was set to equal the amount of NFTs available for auction.

Unfortunately, due to some buyers minting multiple NFTs within the same bid, the terms of the contract mean it will never unlock, sealing away the nearly $33 million in Ethereum forever.

Cointelegraph contacted the Akutars team for comment but did not immediately hear back.

The exploit

In a now deleted tweet posted by the Akutars that was shared by DeFi developer foobar, it said that developers reached out to them warning that their contract could be exploited but appeared to  shrug them off  completely as they labelled the potential exploit a “feature”.

During the mint an unknown individual executed what’s known as a “griefing contract” which locked the ability of the Akutars contract to process refunds to those underbid. The individual even embedded a message on the blockchain to the Akutars team saying they would stop the contract:

“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

Akutars then promptly responded by  taking responsibility for the code and suggested that the exploit “was not done out of malice” and the person “intended to bring attention to best practices for highly visible projects.”

In a tweet on the same day, the project's founder and former pro-baseballer Micah Johnson offered an apology to the community, noting that after letting them down he will "continue to build brick by brick" and work tirelessly to avoid any similar issues moving forward. 

The team also said that it will be issuing 0.5 Ethereum refunds to pass holders as well as airdropping the NFT to successful bidders.

In an update posted on Sunday April 24 the team said it had rewritten its minting contract which was then audited by several developers and plans to mint on Monday April 25.

Related: Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

This article has been updated, with the headline changing from "$34M" to "$33M"

El Salvador buys 11 BTC only a day after reaching a deal with IMF