Cover photo

The Artchitech's stolen Beeples

Beeple’s latest everyday tweet includes a cryptic message and if you dig a little deeper you find a story involving Sotheby’s, Beeple, TheArtchitech and stolen art!

Follow my on-chain investigation into how the art was stolen, how it was washed on it’s way to Sotheby’s wallet and where it is now!

https://x.com/beeple/status/1796232883084083705

I take a keen interest in all things Beeple and I’ve been lucky enough to win a number of prizes solving his puzzles. So when I saw a Beeple 1/1 and 2 x 1/3s leave a single wallet and get sold into bids I followed the trail that ultimately ended at Sotheby.

https://x.com/RadicalnotionsE/status/1603136825685864449

The three Beeples stolen were 30K #1/1, DEAD #3/3 and [ALIVE #3/3](https://ALIVE #3/3), the same three pieces that feature in Beeple’s everyday above. They were stolen after a re-entrancy vulnerability was discovered in NFTTrader. This vulnerability allowed anyone to steal assets that were approved for NFTTrader. The TheArtchitech was exploited for his three Beeples in this transaction.

For a deeper dive of the exploit itself check out @cygaar’s detailed writeup.

https://x.com/0xCygaar/status/1736056050816876626

Unfortunately, almost a year before the exploit, TheArtchitech had approved NFTTrader to transfer any of their Beeple assets via setApprovalForAll() (see this transaction). With this approval and the re-entrancy exploit the attacker was able to transfer all three of the Beeples from TheArtchitech to their own attack contract.

Approvals are a normal part of buying, selling and trading NFTs however it’s important to always revoke permissions if you don’t intend to sell the assets as approvals don’t expire. They are reset when assets are transferred between wallets and this is why a lot of collectors have multiple wallets or a vault to transfer assets to, resetting their approvals.

After exploits like this the valuable NFTs are generally sold into WETH bids and I always found it strange (or lucky) that these three high value Beeples were all sold to the same account Doge_Doge. All three pieces were sold for approximately 9 WETH or 27.21 WETH in total. See the sale transaction.

Looking at the sale transaction the attacker 0x0000000000000F25a072EFA232D8EFc0b5CE2436 bundled 3 bids from Doge_Doge and submitted them to Seaport’s fulfillAvailableAdvancedOrders().

Diving deeper into the offers and considerations you can see that Doge_Doge was very specific with their offers. They made offers for the BEEPLE - SPRING/SUMMER COLLECTION 2021 contract 0xdd012153e008346591153fff28b0dd6724f0c256 and tokens 100110003 ALIVE #3/3, 100100001 30K #1/1 and 100120003 DEAD #3/3.

post image

It’s also interesting to look at the time windows these three offers were available to be fulfilled by the attacker;

  • 1702755279 to 1702757078 for token 100100001

    • Sat Dec 16 2023 19:34:39 to Sat Dec 16 2023 20:04:38 ~ 30 mins

  • 1702755404 to 1703014603 for token 100110003

    • Sat Dec 16 2023 19:36:44 to Tue Dec 19 2023 19:36:43 ~ 3 days

  • 1702755381 to 1703014579 for 100120003

    • Sat Dec 16 2023 19:36:21 to Tue Dec 19 2023 19:36:19 ~ 3 days

It’s same to assume that Doge_Doge made the three offers for ~9 WETH between 19:34 and 19:36 on Sat Dec 16. The exploit occurred approximately 3 hours earlier that day at 16:26. The timeline leading up to the sale is interesting;

  1. The hack of TheArtchitech happens at 16:26 UTC December 16th in this transaction. After the hack the Beeples reside in the attacker’s smart contract 0x000000000000c35e4364deffa9059dbadaefd4f8.

  2. At 14:29 December 16th in this transaction the Beeples are moved from the attacker’s smart contract to another smart contract presumably owned by the attacker 0x0000000000000f25a072efa232d8efc0b5ce2436.

  3. At 17:38 December 16th Doge_Doge swaps 10ETH for WETH in this transaction. They will ultimately need around 27 WETH to bid 9 WETH on each of the Beeples.

  4. At 19:27 December 16th Doge_Doge removes 17.95 ETH from Blur Pool in this transaction.

  5. At 19:31 December 16th Doge_Doge wraps 18 ETH to 18 WETH in this transaction.

  6. From 19:34 to 19:46 December 16th Doge_Doge makes 3 offers all at ~9WETH for the three Beeples.

  7. At 19:40 the attacker bundles all three offers and sells the Beeples to Doge_Doge for 27.21 WETH in this transaction.

As I alluded to earlier Doge_Doge was lucky to be in the right spot at the right time with the right WETH, receiving all three Beeples for 27.21 WETH. Their actions after the sale suggest they knew the Beeples were stolen and they should attempt to hide the part they played in moving the goods to their final sale. This sale was likely to be at none other then a Sotheby’s auction.

TheArtchitech's Beeples in Sotheby's Auction Wallet
TheArtchitech's Beeples in Sotheby's Auction Wallet

After the sale from the attacker to Doge_Doge there are some strange zero value swaps on X2Y2 and asset transfers that move the stolen assets between a series of wallets, some of these wallets are linked via direct ETH transfers;

https://app.blocksec.com/explorer/tx/eth/0x4e6c8b6dd152e30ff326eced15ee510d46d3705b4d3fff8a83fe2007023fbebc
https://app.blocksec.com/explorer/tx/eth/0x4e6c8b6dd152e30ff326eced15ee510d46d3705b4d3fff8a83fe2007023fbebc
https://app.blocksec.com/explorer/tx/eth/0x5d3654edc94e3bf161ac0ad15aa2165bb170237806093369e3133e42597dfafb
https://app.blocksec.com/explorer/tx/eth/0x5d3654edc94e3bf161ac0ad15aa2165bb170237806093369e3133e42597dfafb
https://app.blocksec.com/explorer/tx/eth/0x9cd658b6c11ae8f067e8640d5ca71827b349314397051513f67f4dff186d6b00
https://app.blocksec.com/explorer/tx/eth/0x9cd658b6c11ae8f067e8640d5ca71827b349314397051513f67f4dff186d6b00
Wallets involved in Beeple NFT or ETH transfers
Wallets involved in Beeple NFT or ETH transfers

In the graph above you can see a ring of wallets that transfer the Beeples via zero-value X2Y2 swaps or direct NFT transfers. Multiple wallets are also directly linked via ETH transfers (of 2.1 and 0.03 ETH). It’s a closed loop from the Beeples being purchased by Doge_Doge moving through a series of wallets that are linked to each other via direct transfers and ultimately arriving in Sotheby’s wallet.

The recovery of the assets I can’t comment on as it happens off-chain. However TheArtchitech was likely fortunate the stolen Beeples ended up in Sotheby’s auction wallet rather than being sold.

https://x.com/beeple/status/1796234140708192641

When you look at the people the TheArtchitech thanked there’s some clues to what might have happened off-chain.

https://x.com/ARTMAN141/status/1796238278598754462

On May 29th 2024 (5 months after the attack) all three of the stolen Beeples were transferred from the Sotheby’s auction wallet 0x55eca4d1c9ea7021509a7cd88c68c279dabdd37d to TheArtchitech’s new wallet 0x0c260590C474D8D7A9b1D911454E30BFeAFb4eA7 in this transaction.

I suppose whatever happens off-chain stays off-chain….