Incident Learning Report

On the morning of April 1st, the Bored Ape Yacht Club Discord was hacked and there was an announcement posted about minting mutant dogs (BAKC) and staking it for $APE.

FPPzJkeX0AAhum9.png

Users that clicked on the link would be taken to an external scam website that would let you mint an NFT and get you to sign a transaction with approvalAll permission that the hackers would then use to siphon off your most valuable NFTs from your wallet.

This was a coordinated hack and similar messages were posted in the DOODLES discord server along with 7 other discord servers.

Timeline

Time issue was in effect: 2 hours Time to resolve issue once discovered: 45 mins (bug patched in TicketTool Discord bot)

All times are in CST

12:30am: BAYC Discord was hacked

12:52am: BAYC tweeted about it and locked down their server

https://twitter.com/BoredApeYC/status/1509770607759540229

1:46pm: TicketTool Discord Bot identified as the root cause

https://twitter.com/Serpent/status/1509784187154628614

2:34pm: The bug was patched in the TicketTool bot

https://twitter.com/Ticket_Tool/status/1509796229047275559

Identified Root Cause

Looks like 3 discord bots were hacked or had a bug such that anyone (with just user roles) could create an assign webhooks to themselves. This allowed the hackers to above this webhook and post announcement messages in these discord sever trying to get users to go to their scam website.

A recent update I made to the add command had a bug allowing for some type of permission exploit.

From the creator of Ticket Tool Discord Bot: https://twitter.com/Ticket_Tool/status/1509796229047275559