The peer-to-peer NFT trading platform NFT Trader has fallen victim to one of the most significant security breaches in the NFT market’s history. Attackers exploited vulnerabilities in the platform’s legacy smart contracts, making off with high-value NFTs worth approximately $3 million, including dozens of Bored Ape Yacht Club and Mutant Ape Yacht Club tokens.
The Exploit Mechanics
The attack hinged on a combination of a reentrancy vulnerability in NFT Trader’s old smart contracts and token approvals that users had never revoked. Reentrancy attacks occur when a malicious contract calls back into the vulnerable contract before the first execution completes, allowing the attacker to repeatedly drain funds or assets before the contract can update its balance. In this case, attackers leveraged longstanding permissions that users had granted to the older contracts during previous trading activity. Because these approvals were never removed, the old contracts retained the ability to transfer NFTs on behalf of their owners, even after newer, presumably more secure contracts were deployed.
Affected Systems
The scope of the theft was staggering. At least 37 Bored Ape Yacht Club NFTs, 13 Mutant Ape Yacht Club NFTs, and tokens from the VeeFriends, World of Women, and Art Blocks collections were stolen. Some of the individual Bored Apes were valued at over $300,000 each at the time of the attack. Additionally, some ETH and APE tokens were drained from affected wallets. The attack primarily impacted users who had previously conducted trades on NFT Trader and still had active permissions on the old smart contracts. Multiple copycat attackers joined the fray after the initial exploit was discovered, compounding the damage.
The Mitigation Strategy
NFT Trader’s response involved several steps. The platform updated its smart contracts to fix the reentrancy vulnerability and urgently warned users to revoke all previously granted approvals. Community members and security researchers, including the team at Revoke.cash, played a critical role in identifying how the contracts could be shut down. A Yuga Labs co-founder intervened to negotiate with the attacker, ultimately paying a ransom of 120 ETH, approximately $260,000 at the time, to recover 36 Bored Apes and 18 Mutant Apes. The attacker had demanded 3 ETH per Bored Ape and 0.6 ETH per Mutant Ape as a bounty for returning the stolen assets.
Lessons Learned
This incident exposes a systemic problem in the NFT ecosystem: the danger of lingering token approvals. When users interact with a smart contract, they often grant it permission to transfer their tokens. If that contract is later deprecated but the approvals remain active, it creates a persistent attack surface. The NFT Trader hack demonstrates that even when platforms upgrade to newer contracts, the old ones remain a liability as long as users have not explicitly revoked their permissions. Platforms must implement automated revocation mechanisms or at minimum aggressively notify users to revoke old approvals when migrating to new contracts.
User Action Required
If you have ever traded on NFT Trader or any similar peer-to-peer NFT marketplace, immediately check your wallet’s active token approvals using tools like Revoke.cash. Revoke any permissions granted to old or deprecated contracts. Make revoking approvals a regular part of your security hygiene, especially after completing trades. Additionally, consider using a dedicated wallet for trading activities so that your primary holdings remain insulated from smart contract risks. The NFT Trader breach serves as a stark reminder that in the world of digital assets, old permissions are not just forgotten — they are actively dangerous.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
dozens of apes gone because nobody revoked approvals on contracts they stopped using months ago. painful but so preventable
Deploying new contracts without deprecating the old ones properly is negligence. The team should have migrated approvals.
hard agree on the negligence take. if you deploy new contracts you should have a migration path or at minimum a big warning banner
reentrancy in 2023 is wild. this was solved after the DAO hack. no excuse for legacy contracts to still have this vulnerability
migration path should be automatic. revoke old approvals, flag the new contract in the UI. anything less is negligence on the devs part
automatic migration is table stakes but most NFT platforms treat contract deployment as fire and forget. the BAYC team had how many months to flag this and didnt
approvals are the silent killers. everyone forgets they exist after the trade is done
legacy contracts are zombies. they never die and they eat your NFTs while you sleep
legacy contracts are zombies is the most accurate description lol. they just sit there waiting for someone to forget about them
3M in apes gone because of a reentrancy bug in a contract nobody was supposed to use anymore. every NFT platform needs an active deprecation schedule not a deploy and forget model