Chimericalthe largest NFT marketplace on Optimism, announced on July 1 that a recent contract update had been exploited, resulting in the loss of ERC-20 tokens.
The team assured users that lost funds would be returned and that NFTs listed on the platform were unaffected. But as a precaution, all market activity is halted while the developers further investigate what happened.
We can confirm that a recent update to our marketplace contract has been exploited, allowing a hacker to steal approved ERC-20 tokens
1. We will refund all stolen ERC-20 tokens
2. NFTs remain safe and unaffected by the exploit
3. All market activity remains paused https://t.co/wBYt903QVO– Quixotic 🔴✨ – Optimism NFT Marketplace (@quixotic_io) July 1, 2022
Don Quixote Users are not required to act as the vulnerable contract has been terminated and refunds will be made “in the coming days”.
More details on the Quixotic NFT exploit
The exploit was first noted by the NFT project team apetism, who duly alerted the community with a tweet in the early hours of July 1 (BST). He identified the offer feature as the source of the vulnerability, suggesting members cancel open offers to protect themselves.
“An attacker attacks the “Offer” functionality. Therefore, we suggest that you immediately cancel all offers if you have one.“
Extending further, apetism said, based on their analysis, it appears that the hacker was able to transfer the offers made on the NFTs to his own wallet. They surmised that the hacker had deployed their smart contract to override the existing logic to exploit the offer function.
How? An attacker deployed a contract to bypass some of Quixotic’s smart contract logic on the offer functionality. This would allow them to steal all tokens used in any offer on Quixotic in any currency.
— Appetism 🔴 | Sold out (@apetimism) July 1, 2022
Apetimism reported that $100,000 had been lost so far. However, since this tweet went out, an analysis of the pirate’s wallet shows several large outflows above $100,000.
The largest single transfer was for 110,756 USDC, while the second largest transaction was for 170,882 Optimism (OP), worth $90,500 at the current price.
Another trace shows that the hacker is actively splitting the stolen funds into smaller sums and sending them to several other addresses.
What is Quixote?
Chimerical is the largest NFT marketplace on the Ethereum Layer-2 Optimism platform.
It offers an average transaction fee of just 0.0005 ETH ($1.50), which makes the platform much more usable for most NFT traders. The company estimates that it has saved its members approximately $2 million in gas costs since its inception.
On-chain tracking shows that the platform has generated $419,500 in volume over the past 30 days, but user activity has dropped significantly since June 14.