Exploited Bored Ape Yacht Club Discord Admin leads to 200 ETH Heist

Time and time again, we see social media and communication mediums such as Discord, Telegram and others becoming a point of vulnerability for major NFT projects. This was shown once again today, as a hacked community admin account on the official BAYC Discord was able to steal around 200 ETH from NFT.

Let’s break down what we know, what we’ve seen so far about issues like this, and what can be done to move forward.

BAYC is a target, and Discord is a vehicle

The news was first published early on Saturday, notably and widely shared by blockchain analyst and auditor NFT @OKHotshot on Twitter. OKHotshot went on to describe about 70 NFT Discord channels that faced vulnerabilities in the month of May alone.

A BAYC Discord community manager had his account hacked, and this hacker then posted a fraudulent link on the Discord channel, claiming a free mint for BAYC users. This, of course, was simply a phishing link.

Yuga Labs and the Bored Ape Yacht Club team have patched the vulnerability and asked affected users to contact them:

Yuga Labs co-founder @GordonGoner then expressed his dissatisfaction with Discord as a tool for Web3 communities:

There are undoubtedly a multitude of variables here, and there is immense pressure on administrators of large NFT projects to have flawless security practices.

Bored Ape Yacht Club released their APE token just a couple months ago, but there's still plenty to speculate on around the blue chip NFT project's token looking ahead. | Source: APE-USD on TradingView.com

Related Reading | Crypto scammers drained over $1 billion from consumers last year – FTC

Where is the responsibility?

While it’s easy to hold projects accountable — after all, we’ve seen BAYC Discord and Instagram accounts hacked for budding phishers before — there’s also a question of what channels like Discord can achieve for solve some of them. As OKHotshot notes, 26 of its 70 detailed Discord NFT hacks in the past month were done through Discord’s MEE6 bot.

Others have also criticized the design of the Ethereum smart contract which requires signature approval before anything can happen with the assets, which means some users are perhaps more likely to click on an approval than they had no intention of approving.

All in all, this is just another testament that there is a long way to go in optimizing all things NFT. In the meantime, remember that if it sounds too good to be true, it probably is, and there’s always the possibility that admins have been hacked if a message looks suspicious.

Related Reading | You Can’t Program Trust in Crypto, FED Governor Warns

Featured image from Pixabay, Charts from TradingView.com

The writer of this content is not associated or affiliated with any of the parties mentioned in this article. This is not financial advice.