Optimism NFT marketplace Quixotic suffers exploit following contract update
The Quixotic attacker was able to hack the offer feature to drain more than $100,000 in Optimism and USDC.
Quixotic, the largest NFT marketplace on Optimism, announced on July 1 that a recent contract update was exploited, leading to the loss of ERC-20 tokens.
The team assured users that lost funds would be returned and that NFTs listed on the platform were unaffected. But as a precautionary measure, all marketplace activity is paused as devs further investigate what happened.
We can confirm that a recent update to our marketplace contract was exploited, allowing a hacker to steal approved ERC-20 tokens
1. We will be refunding all stolen ERC-20 tokens
2. NFTs remain safe and are not affected by the exploit
3. All marketplace activity remains paused https://t.co/wBYt903QVO— Quixotic 🔴✨ – Optimism NFT Marketplace (@quixotic_io) July 1, 2022
Quixotic users are not required to act as the vulnerable contract has been halted, and refunds will go out “in the coming days.”
More details on the Quixotic NFT exploit
The exploit was first noted by the team at NFT project Apetimism, who duly alerted the community with a tweet in the early hours of July 1 (BST). It pinpointed the offer feature as the source of the vulnerability, suggesting members cancel open offers to protect themselves.
“Some attacker is attacking the “Offer” feature. Therefore we suggest you to cancel all the offers immediately if you have one.“
Expanding further, Apetimism said, based on their analysis, it appears that the hacker was able to transfer offers made on NFTs to their own wallet. They surmised that the hacker deployed their smart contract to overrun the existing logic to exploit the offer function.
How? An attacker deployed a contract to bypass some logic on Quixotic's smart contract over the offering feature. This would let them steal all the tokens used in any offer on Quixotic in any currency.
— Apetimism 🔴 | Sold Out (@apetimism) July 1, 2022
Apetimism reported that $100,000 had been lost so far. However, since that tweet went out, an analysis of the hacker’s wallet shows several large outflows greater than $100,000.
The most significant single transfer out was for 110,756 USDC, while the next most considerable transaction out was for 170,882 Optimism (OP), valued at $90,500 at the current price.
A further followed up shows the hacker actively breaking stolen funds into smaller sums and sending them to multiple other addresses.
What is Quixotic?
Quixotic is the largest NFT marketplace on the Ethereum layer-2 platform Optimism.
It boasts an average transaction fee of just 0.0005 ETH ($1.50), making the platform much more usable for most NFT traders. The firm estimates it has saved its members around $2 million in gas fees since its inception.
On-chain tracking shows the platform turned over $419,500 in volume over the last 30 days, but user activity has declined significantly since June 14.