On the morning of April 1st, the Bored Ape Yacht Club Discord was hacked and there was an announcement posted about minting mutant dogs (BAKC) and staking it for $APE.
Users that clicked on the link would be taken to an external scam website that would let you mint an NFT and get you to sign a transaction with approvalAll permission that the hackers would then use to siphon off your most valuable NFTs from your wallet.
This was a coordinated hack and similar messages were posted in the DOODLES discord server along with 7 other discord servers.
Time issue was in effect: 2 hours Time to resolve issue once discovered: 45 mins (bug patched in TicketTool Discord bot)
All times are in CST
12:30am: BAYC Discord was hacked
12:52am: BAYC tweeted about it and locked down their server
1:46pm: TicketTool Discord Bot identified as the root cause
2:34pm: The bug was patched in the TicketTool bot
Looks like 3 discord bots were hacked or had a bug such that anyone (with just user roles) could create an assign webhooks to themselves. This allowed the hackers to above this webhook and post announcement messages in these discord sever trying to get users to go to their scam website.
A recent update I made to the add command had a bug allowing for some type of permission exploit.
The affected Discord Bots were disabled from the server and this invalidated the authorization token & webhooks that the hackers used to post messages in the discord server.
Additionally, the hacked Discord Bot were also patched up. Ticket Tool has stated they've reverted to the previous uncompromised version that doesn't have the bug. And they've also regenerated their Discord token just in case.
I've reverted the update to the previous uncompromised version and will be looking into exactly how this happened.
The bot itself is not compromised beyond a very unfortunate bug.
- Ticket tool bot
- Captcha bot
- Arcane bot
- 1 Mutant and a fractional ETH from BAYC discord
- 1 WOW, 1 HAPE, 1 Space doodle, 1 azuki from Doodles discord
- Potentially other less-valuable NFTs from the other servers
- Avoid installing any 3rd party Discord apps that utilize Discord Webhooks
- Webhooks can send messages to a text channel without having to log in as a bot. They can also fetch, edit, and delete their own messages.
- When installing new Discord Bots, check every permissions it request & ensure no admin permissions are granted
- If you want to keep your bot's permission checks simple, you might find it sufficient to check if the member executing the command has a specific role.
- Ensure all Discord Admins have 2 Factor Authorization (2FA) turned on
- By requiring all admin accounts to have 2FA turned on, you protect your server from malicious users who might try to compromise one of your moderators or administrators accounts and then make unwanted changes to your server.
- Close your DMs and change your password regularly
- Discord DMs are a very easy target for luring users to deal that are too good to be true
- Discord DMs don’t have any sort of social verification (unlike twitter) so it’s hard to know who you are talking to