This article was featured in our newsletter, Alts & Ends. Click here to subscribe for free and receive the best collectible market insights straight to your inbox on a weekly basis!
Vincenzo Perrugia stole the Mona Lisa from the Louvre in August 1911. Unknown thieves stole The Storm on the Sea of Galilee from the Isabella Stewart Gardner Museum in March 1990. In December 2023, an attacker stole works of art of slightly lesser cultural importance: 37 Bored Apes in a security breach of peer-to-peer platform NFT Trader.
For the two masterworks, theft created greater fame, recognition, and appreciation (or longing, in the Rembrandt's case). For the animal jpegs, theft threw another banana peel in the face of NFTs and the Web3 ecosystem.
Security vulnerabilities have long plagued the crypto world. A summer 2022 study by ImmuneFi concluded 143 Bored Apes had been stolen since the project's inception. Last week's hack adds 37 Bored Apes, 18 Mutant Apes, 4 World of Women, and a VeeFriend to the tally, among others. Thankfully, we understand the partridge in a pear tree was unaffected. Estimates suggest the value of the stolen NFTs amounted to approximately $3 million, with some prized Apes among the contraband.
Hackers exploited a vulnerability in old "smart" contracts, affecting users who had traded on NFT Trader in the past and still had permissions enabled allowing for unauthorized transfers. One such hacker posted some bizarre on-chain messages, noting "monkeys are safe" and requesting a bounty for his troubles.
A real Danny Ocean!
Still, we haven't been so relieved to hear "monkeys are safe" since the space chimps returned to Earth. The hacker returned some assets for free, some for the requested bounty, and in one bizarre case returned an NFT along with 31 ETH. Some owners were hesitant to pay the bounty, fearing further theft. Fortunately, Boring Security, a non-profit web3 security organization backed by ApeCoin, soon entered the fray. The organization was able to recover the stolen NFTs, paying bounties amounting to 10% of the floor price of the projects. The bounty was apparently funded by Greg Solano, co-founder of BAYC-creator Yuga Labs.
The vulnerability arose from a smart contract upgrade, and it was discovered by Web3 developer "Foobar," who helped the NFT Trader team stop further attacks. Web3 pseudonyms never disappoint, do they? While vulnerabilities do get remedied and focus on Web3 security increases with each passing incident, perception of the space declines. Outsiders and naysayers take each incident as further confirmation of their understanding of the space as an unserious one. It takes a long time to build trust, but only moments to lose it. In a space short on trust to begin with, continued follies stifle broader adoption.
Ironically, the incident comes after three prosperous months in the NFT space. The floor price for Bored Ape Yacht Club hit all-time lows in September and October in the mid-$30k range. Since then, momentum has been positive. Floor prices sit near $57,000 today, with ETH and broader crypto having rallied significantly over the same period. That's a far cry from peaks over $350k in early 2022, but we're still talking about $60k for monkey jpegs at the low end. And their value is still sufficient to make their theft significant news.
When you consider the resources dedicated to preventing bank fraud, the Wild West structure of Web3 is unlikely to prove inviting to a large population of outsiders. Wallets can be emptied by a wrong click or by a smart contract gone dumber. Our interactions with our traditional financial systems are built on some level of trust, well-founded or not; there's a belief funds will remain where we deposit them and arrive where we send them. But crypto novices don't harbor that same trust for a system meant to displace traditional finance.
For all but the most sophisticated, the pitfalls of the crypto landscape are difficult to avoid, an unfortunate reality proven once again by the NFT Trader vulnerability. We'd say the heist was a little like robbing the blind in that regard, but there are probably still BAYC holders recovering from severe retina burn sustained at Apefest in November.
Enjoyed this article? Don't forget to subscribe to our newsletter to receive more like it in your inbox weekly!
Disclaimer: You understand that by reading Altan Insights, you are not receiving financial advice. No content published here constitutes a recommendation that any particular security, transaction, or investment strategy is suitable for any specific person. You further understand that the author(s) are not advising you personally concerning the nature, potential, value or suitability of any particular security, transaction, or investment strategy. You alone are solely responsible for determining whether an investment, security or strategy, or any other product or service, is appropriate or suitable for you based on your investment objectives and personal financial situation. Please speak with a financial advisor to understand if the risks inherent in trading are appropriate for you. Trade at your own risk.