🦸‍♀️ Cypherpunk Zero NFT Megathread

Attention!

4 hours ago, this address was hijacked by our CPZ. I did not sign anything and how it happened I do not understand.

At the same time, one of them cost me a lot of money.

Does anyone know what’s going on?

damn. sad. was it hot wallet in metamask?

Yes. Metamask. But I don’t go into it at all. In total, the hacker took 31 of our most valuable NFTs. One from each address. How did that happen? It was exclusively CPZs.

How can we make that claim?

I have a suspicion that there’s a bug in the smart contract.

Because some address had done a lot of transactions the day before and somehow that allowed it to take possession of a lot of NFTs without the owner’s signature.

I don’t know much about it, it’s just the facts as I see them right now. How can we label this address fraudulent before he starts getting rid of the tokens?
He’s doing it right now!

@decentralistdan @nuttycom

Looks like at least 1 of mine was stolen which was in a Ledger, I haven’t had a closer look if there’s more

oh no. sumting weird must be goin on den.

Yeah looks like numbers 30-61 roughly of the first 200 were all transferred out of their wallets at the same time

The thief is trying to get something by bidding Dan’s (@decentralistdan) NFT lowering the price. We must to have a mechanism to send him further up the ass. I think he’s in the wrong community to manipulate here with money.

I can report that one of my NFT has also been moved. This NFT is the one that I received from MJ and has never approved its transfer. I have reported the account that first received the stolen items to OpenSea. Not sure, how fast they will act but hopefully the account and items will not be tradable.

Were the first 200 the ones distributed to the buyers of the toy(?)

yes, the early ones were sold separately (wif the irl toy). but i dont haf more info on it.

The community can report the suspicious items to OpenSea so that they can freeze the trade on them. While not perfect, this will disable the avenue for the attacker to cash out. The report is more effective if done by the accounts affected in this, specifically holders of CPZ #30 to #61

The attacker’s account: https://opensea.io/0x44cdf0E532Dda3474dAE859181e5865380d86a73
The suspicious transaction: Ethereum Transaction Hash (Txhash) Details | Etherscan

Update: After I submitted ticket to OpenSea, they have frozen the item stolen from my account. Other stolen items have not been frozen yet but I have sent them a reply regarding this.

OpenSea report centre: https://support.opensea.io/hc/en-us/requests/new

It has nothing to do with the ECC. According to available information, various ERC-721 smart contracts are vulnerable to this vulnerability and it can be any collection of a certain time interval. It so happened that on the eve of the incident the trading volume of Cypherpunk Zero collection increased a lot. The thief noticed CPZ for that very reason. It’s a coincidence. I’ve tracked that the thief has been exploiting this vulnerability for a long time and stealing rare NFTs from many collections, taking advantage of the fact that in a quiet market the owners don’t notice the loss. I have motion alerts installed on my address and it was only because of this that I discovered the problem quickly.

my question wud be are all NFT holders vulnerable now or only certain ones like the early ones?
and wer is de bug or security hole?

Hole at the smart contract level. A very large list of smart contracts is affected, but it is useless to list them, because I don’t know how to even check my NFT to see if it belongs to any version. Therefore, I don’t know who and what exactly is vulnerable and I can’t answer.

What I do know is this. It is impossible to do anything at the user level at this time. On the contrary, I would recommend doing nothing. I don’t know the details, but since the thief only stole one NFT from me, and there was plenty to choose from, it’s probably best not to move anything. There is logic in that.

While this is being mitigated, you should be able to revoke approvals on all CPZ contracts: revoke.cash

All my 4 nft are gone from my trust wallet wtf.

Oh I went through the whole OpenSea appeal thing. They of course froze the NFT for a week after the application, but in order for the ban on their platform to be valid further it was suggested to write a police report. To which I replied that I am not a US resident. And it was suggested that I report the theft to the FBI. I laughed to myself at first, but then thought it might be helpful to all those affected and did so. I still can’t believe how I ended up in the metaverse where I write to the FBI because of a stolen expensive jpeg.

I could be wrong, but it seems the intruder robbed the treasury.

Some of these CZNFTs that have been just robbed from the treasury, have been bought by someone already. Any of these should not be banned/restricted/flagged. They were bought by the biggest CZNFT stakeholder. Please make sure no buyers of these NFTs sold by the hacker (either from #31–60 range or the new ones robbed from the treasury) are further harmed by banning it.

@adjychris @zooko