Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
On December 16, the SlowMist security team issued an alert that @NftTrader appeared to have been exploited due to a reentrancy issue. On December 17, the NFT Trader hacker claimed in on-chain messages that the original attack had been perpetrated by someone else, but that they were one of the many copycat attackers, describing themselves as someone who had "[come] here to pick up residual garbage". They requested victims send additional ETH to get their NFTs back. "If you want the monkey nft back, then you need to pay me a bouty, which is what I deserve", they wrote, asking for NFT holders to send them 10% of the Ape floor price. On December 17, Boring Security tweeted, "All 36 BAYC and 18 MAYC that the exploiter had are now in our possession. We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge." Attack method (per SlowMist): Reentrancy Attack. Reported loss: $ 3,000,000.
- chain
- —
- protocol
- NFT Trader
- bug_class
- reentrancy
- date_occurred
- 2023-12-16
- loss_usd
- $3,000,000
- source_id
- sm:nft-trader::2023-12-16