BAYC
First up, we have the Bored Ape Yacht Club. Their official Instagram account had been hacked and followers were given a compromised link to a questionable website. Turns out there was no mint scheduled for that day and folks who clicked on the links and had their Ethereum wallets connected, were robbed of an approximate $2.8M worth of NFTs.
The website which redirected users to the hackers was a duplicate of the original Bored Ape website and falsely claimed that parent company, Yuga Labs was offering free land as NFTs for its soon-to-be-launched Metaverse game, Otherside. It claimed that users who would link their Ethereum wallets would be airdropped NFT pieces of land from the hyped game and apparently, it did not matter whether said users were BAYC holders.
Scammers eventually stole 91 NFTs from users who took the bait and among the ones stolen, there were seven Mutant Ape Yacht Club NFTs, four Bored Ape Yacht Club NFTs and three Bored Ape Kennel Club NFTs. The poaching apparently coincided with Yuga Labs’ one-year anniversary for the launch of the BAYC collection, therefore leading the scammed users to believe it had to be some kind of a celebratory airdrop.
The wallet that devised the plunder, had users connect their MetaMask to itself in order to receive the false airdrop. It was a safeTransferFrom attack and an official statement from Yuga Labs read, “At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account. Two-factor authentication was enabled and the security practices surrounding the IG account were tight. Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating.”
As far as reimbursement is concerned, the firm did not speak on how it intends to carry it out. Instead, the robbed users were offered a bleak response to the whole scam, that they were “actively working to establish contact with affected users,” and that they were “actively working on a solution”. This scam is similar to previous hacks that happened with Apecoin and Moonbirds. However, it is disappointing to know that with the increasing frequency of such attacks, there has been a weak response from the parent firms to undertake stronger security measures.
BigVerse
Next, we have a court in Hangzhou, China ruling a verdict against parent company of NFTCN, BigVerse. According to the South China Morning Post, a Chinese artist Ma Qianli claims that one of his cartoons was stolen by the NFT marketplace for distribution or commercial use. Shenzhen-based company Qice filed a lawsuit against BigVerse and charged them with infringement of Ma’s right to “to disseminate works through information networks” and seeked to be reimbursed by the platform for financial damages incurred.
The Courts issued a unique judgement in favor of the Chinese artist and ordered BigVerse to pay a fine of 4000 Yuan (approximately $610). It also requisitioned NFTCN to stop further circulation of Ma’s artworks. BigVerse was found guilty of not examining the authenticity of assets before they are circulated, making them liable to forgery and theft charges of items that are protected by Intellectual Property (IP) rights.
Ma’s copyrighted artwork showcased a cartoon tiger having a shot of vaccine, and this was apparently stolen and sold for about 900 Yuan (approx. $137 dollars). Because of weak security infrastructure present in minting NFTs and using cryptocurrency in general, the Chinese artist who specializes in drawing and painting, fell prey to thieving practices on the platform. The Chinese government has always been wary of illicit activities surrounding crypto trading and transactions during NFT sales. There has been a blanket ban imposed where Chinese authorities have issued a public warning wherein, they discourage the use of cryptocurrencies like BTC and ETH for online transactions. As much as they support innovation in the field of blockchain mining, they are also looking to impose limitations on the “financialization and securitization” of NFTs that expose users to a greater level of fiscal risk.
Sky Mavis and Ronin Network
In the wake of a massive hack in the Ronin Network, Sky Mavis plans to upgrade its security infrastructure by doubling their nodes and implementing bug bounties worth a million USD. The hack was carried out with the help of stolen credentials of a former Sky Mavis employee, who is also a developer for Axie Infinity. It was a spear-phishing attack that broke 4 out of 9 Sky Mavis validator nodes and the network was robbed of nearly $600 million. The individuals responsible for the hack were able to find a certain loophole with their “gas-free RPC node, which they abused to get the signature for the Axie DAO validator”, according to the studio. Back in November 2021, Sky Mavis was allowed to access and sign a number of transactions on the behalf of Axie DAO and this distribution was permitted due to a huge user load at the Vietnamese game studio’s servers. The allowlisting access not having been revoked even after distribution was stopped in December 2021, left the platform’s nodes vulnerable to attacks.
Binance has agreed to support Axie users with transaction and architectural assistance till Ronin Network gets its revamped bridge open by late May. The Network is working continuously to upgrade its smart contracts and will be operating to revise backend functions and migration of pending clearances. They will also be launching a validator dashboard that would help in “approving large transactions and adding/removing new validators.” The Network says they have been through 80% of the bridge redesign and are hoping to provide users with stronger security measures in order to safeguard their assets. Ronin announced its platform upgradations through a published report that also promises users that this will “never happen again” and that they were working to restore all that was lost.
Sky Mavis will also be looking to revamp its security framework with the help of security experts who will work towards handling contract audits and revising the company’s standard operating procedures. Strict measures will be taken to protect the platform from security breaches, which include increasing their validator node count to at least 21 nodes within three months and initiating bug bounties up to $1 million for white hat hackers to look for any existing technical loopholes that compromise user transactions. It is definitely impressive that the two platforms have been working rigorously for implementing a more robust security framework now that such breaches are on the rise and only a few companies vow to actually evaluate and resecure errors.
