Time and time again, we are seeing social media and communication mediums such as Discord, Telegram and others become a point of vulnerability for major NFT projects. That was exhibited once again today, as a hacked community admin account on the official BAYC Discord was able steal roughly 200 ETH worth of NFTs.
Let’s break down what we know, what we’ve seen to date from issues like this, and what can be done moving forward.
BAYC Is A Target, And Discord Is A Vehicle
The news was first released early on Saturday, most notably and widely spread through blockchain analyst and NFT auditor @OKHotshot on Twitter. OKHotshot went on to outline roughly 70 NFT Discord channels that faced vulnerabilities in the month of May alone.
A BAYC Discord community manager had their account breached, and that hacker went on to post a fraudulent link on the Discord channel, claiming a free mint for BAYC users. This, of course, was simply a phishing link.
Yuga Labs and the Bored Ape Yacht Club team addressed the vulnerability and have asked users that were impacted to contact them:
Yuga Labs co-founder @GordonGoner went on to express his displeasure in Discord as a tool for web3 communities:
There’s undoubtedly a multitude of variables here, and there is immense pressure on admins of major NFT projects to have flawless security practices.
Bored Ape Yacht Club released their APE token just a couple months ago, but there's still plenty to speculate on around the blue chip NFT project's token looking ahead. | Source: APE-USD on TradingView.com
Related Reading | Crypto Scammers Have Drained Over $1 Billion From Consumers Last Year – FTC
Where Does Responsibility Lie?
While it’s easy to hold projects responsible – after all, we’ve seen BAYC Discord and Instagram accounts hacked previously for aspiring phishers – but there is also a question of what channels like Discord can achieve in addressing some of these. As OKHotshot notes, 26 of his detailed 70 NFT Discord hacks from last month were conducted through Discord’s MEE6 bot.
Others have also criticized the Ethereum smart contract design which requires a signature approval before anything can happen with assets, meaning that some users maybe be more likely to click an approval that they didn’t intend to approve.
In all, it’s just another testament that there is a long way to go in optimization around all things NFTs. In the meantime, please don’t forget that if it looks too good to be true, it probably is, and that there is always the potential that admins have been hacked if a message seems suspect.