Unforgettable NFT Smart Contracts Exploits

NFT smart contract exploits in the recent past.

Table of Contents

Read Time: 5 minutes

On the way to launch an NFT project? Well, here are some statistics that will delight you!

As per a report from Fox News, NFTs reached a sales volume of $2.5 billion this year in the initial six months! This was right after hitting a total of $13.7 million in 2020. OpenSea in June recorded $125 Million worth of NFT sales. As per, nearly 20K buyers have bought NFTs every week since March on the Ethereum blockchain. This even outnumbered the number of sellers.

However, the whopping rise doesn’t mean NFTs are free of issues. NFTs are built on smart contracts that are prone to exploitation and hacking. According to Bitcoin News, 25% of all smart contracts have critical bugs. Apart from these, other contracts are also likely to contain bugs of various types and severity levels. Developers, often working in a hurry or because of a lack of knowledge, may create faulty contracts, which might cause the loss of millions of dollars to the project promoters.

Leave a bug untraced, and even a billion dollars you have accumulated will give you no protection against bugs.

Let us throw light on the three popular NFT projects that experienced fatal outcomes due to bugs and mischievous tweaks:


In 2017, just after the arrival of CryptoPunks and before the launch of CryptoKitties, two developers known as ‘Ponderware’ created blockchain-collectible cats. Known as MoonCatRescue, it started on a flawed note. Its erroneous smart contract resulted in the loss of some ETH before they could resolve the issue. Here’s how things turned out to be:

MoonCats planned to collect ether from the sale of the genesis cats. However, a fix during the QA process culminated in the permanent locking of these funds.

When a user adopted the MoonCat, the piece-code `transferCat(catId, catOwners[catId], msg.sender, offer.price)’ moved the funds to `require(catOwners[catId] != 0x0)’. It is a kind of issue that should have been reasonably resolved in the testing phase. However, it didn’t happen, and the project lost out on a fair amount of ETH.


Launched in 2017 as the first NFT project, CryptoPunks was adversely affected when it was suffering from a severe bug that led to the non-receipt of payments despite the sales. The bug was found after all of the 10,000 Punks were traded, and the secondary market started functioning.

Larva Labs, the creators of CryptoPunks, zeroed in on testing quality in the pre-launch phase for this issue. John Watkinson, the co-founder of CryptoPunks, posted a Twitter thread to clarify this bug issue comprehensively. Subsequently, Larva Labs re-launched this project with an updated smart contract. They also brought in the V1 punks as V1 CryptoPunks ERC-721 wrapper.


Also, a project of LarvaLabs came up with its new project with the name ‘Meebits.’ It involved minting Meebits with random traits. The users attempted to find a Meebit that was rare. The project was thought to be functioning perfectly well; however, some users exploited the loopholes to deceive the system and find the traits to obtain the Meebit they desired.

A user named ‘0xNietzsche’ rode Meebits’ process, using it to his advantage. There was an archived file in Meebits’ smart contract to demonstrate the status of every token ID. Users were allowed to execute Meebit generation and cancel the same if it wasn’t found to be rare. This was possible using a comparison of the traits file.

0xNietzsche took the pains of initiating over 300 transactions for testing this loophole. Each Meebit was canceled in case it wasn’t carrying rare traits. 300+ transactions later, he and his associates finally came across a rare Meebit (#16647). It was discovered how he had to shell out $20K every hour in gas charges while waiting to get the rare Meebit. The vulnerability of the smart contract thus got exposed. They ended up selling their rare Meebit for 200 ETH, which was valued around $750K at that time.

When LarvaLabs became aware of it, they temporarily paused the Meebit minting. However, they stressed the contract was safe, and trading was working just fine. They were not wrong as the Meebits continued to be assigned randomly. Users could not have exploited the contract unless they were willing to invest a lot of time and gas charges for the same. By then, as such, the Meebit minting had come to an end.


A bug was reported by samczsun in the Hashmasks art sale during the late stages. Unlike the above three, however, there was no damage and Hashmask was able to take remedial steps in time. Samczsun raised a flag about a potential bug in Masks.sol smart contract of hashmasks, in the mint NFT function.

Had an attacker been able to exploit the bug, they would have minted more than 16,384 Hashmasks. Somehow, the bug could not be discovered during the testing phase. Hashmasks awarded samczun with $12,500 USDC for the bug disclosure.

Vulnerabilities in smart contracts – a spotlight

Attackers have become smarter, and NFT projects must use adequate protection tools and conduct thorough audits of the smart contract. Some common bugs in smart contracts are transaction ordering dependence (TOD), timestamp dependency, and re-entrancy.

Wrapping up

When industry standards are still taking shape, smart contract auditing and penetration testing have emerged as two benchmarks for strong security in blockchain systems. For this purpose, there is no one better qualified than the blockchain engineers specializing in blockchain audits.

Though the prevalent practice in the NFT arena is to have smart contracts audited before the sale of tokens, some projects that are yet to raise funds may try to take the shortcut and skip this crucial phase. 

Such a misconceived step might prove fatal for your projects, resulting in all your funds getting drained, or there might be bugs manipulating buffer overflow to alter account balances. To ensure your project doesn’t become a repeat of CryptoPunks, Meebits, and MooncatRescue, settling for a smart contract audit is the most logical way out.

Reach out to QuillHash

Follow QuillHash for more updates.

Twitter | LinkedIn Facebook


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


Due to the fact that Web3 technology is still in its infancy, new types of attacks are possible. Some attacks, like ice phishing, are specific to Web3, while others resemble credential phishing attacks.




The $BEVO NFT Art Token (BEVO) on BSC was exploited, resulting in a $45,000 loss.

The root cause of the exploit is that BEVO is a deflationary token. By invoking function deliver(), the value _rTotal will decrease.

QuillAudits 🤝 Gamestarter

@Gamestarter is a complete Web3 ecosystem including an IDO launchpad, game development studio, accelerator, incubator, and soon NFT marketplace, gaming guild and metaverse.

QuillAudits extends its partnership with Gamestarter.


Thoreum Finance on the BNB chain was exploited on January 18, 2023. The exploit resulted in the protocol losing approximately 2261 BNB (~$680K).

✔ Check out our latest article to learn more about how it happens.👇


#web3 #Security #Audit


phyProxy on BSC was attacked, resulting in a loss of 1.2K BUSD.

The root cause is a forced investment due to the delegate calls unverified input in the public delegateCallSwap function.

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+