Blog

Unforgettable NFT Smart Contracts Exploits

NFT smart contract exploits in the recent past.

Table of Contents

Read Time: 5 minutes

On the way to launch an NFT project? Well, here are some statistics that will delight you!

As per a report from Fox News, NFTs reached a sales volume of $2.5 billion this year in the initial six months! This was right after hitting a total of $13.7 million in 2020. OpenSea in June recorded $125 Million worth of NFT sales. As per NonFungible.com, nearly 20K buyers have bought NFTs every week since March on the Ethereum blockchain. This even outnumbered the number of sellers.

However, the whopping rise doesn’t mean NFTs are free of issues. NFTs are built on smart contracts that are prone to exploitation and hacking. According to Bitcoin News, 25% of all smart contracts have critical bugs. Apart from these, other contracts are also likely to contain bugs of various types and severity levels. Developers, often working in a hurry or because of a lack of knowledge, may create faulty contracts, which might cause the loss of millions of dollars to the project promoters.

Leave a bug untraced, and even a billion dollars you have accumulated will give you no protection against bugs.

Let us throw light on the three popular NFT projects that experienced fatal outcomes due to bugs and mischievous tweaks:

MoonCatRescue

In 2017, just after the arrival of CryptoPunks and before the launch of CryptoKitties, two developers known as ‘Ponderware’ created blockchain-collectible cats. Known as MoonCatRescue, it started on a flawed note. Its erroneous smart contract resulted in the loss of some ETH before they could resolve the issue. Here’s how things turned out to be:

MoonCats planned to collect ether from the sale of the genesis cats. However, a fix during the QA process culminated in the permanent locking of these funds.

When a user adopted the MoonCat, the piece-code `transferCat(catId, catOwners[catId], msg.sender, offer.price)’ moved the funds to `require(catOwners[catId] != 0x0)’. It is a kind of issue that should have been reasonably resolved in the testing phase. However, it didn’t happen, and the project lost out on a fair amount of ETH.

CryptoPunks

Launched in 2017 as the first NFT project, CryptoPunks was adversely affected when it was suffering from a severe bug that led to the non-receipt of payments despite the sales. The bug was found after all of the 10,000 Punks were traded, and the secondary market started functioning.

Larva Labs, the creators of CryptoPunks, zeroed in on testing quality in the pre-launch phase for this issue. John Watkinson, the co-founder of CryptoPunks, posted a Twitter thread to clarify this bug issue comprehensively. Subsequently, Larva Labs re-launched this project with an updated smart contract. They also brought in the V1 punks as V1 CryptoPunks ERC-721 wrapper.

Meebits

Also, a project of LarvaLabs came up with its new project with the name ‘Meebits.’ It involved minting Meebits with random traits. The users attempted to find a Meebit that was rare. The project was thought to be functioning perfectly well; however, some users exploited the loopholes to deceive the system and find the traits to obtain the Meebit they desired.

A user named ‘0xNietzsche’ rode Meebits’ process, using it to his advantage. There was an archived file in Meebits’ smart contract to demonstrate the status of every token ID. Users were allowed to execute Meebit generation and cancel the same if it wasn’t found to be rare. This was possible using a comparison of the traits file.

0xNietzsche took the pains of initiating over 300 transactions for testing this loophole. Each Meebit was canceled in case it wasn’t carrying rare traits. 300+ transactions later, he and his associates finally came across a rare Meebit (#16647). It was discovered how he had to shell out $20K every hour in gas charges while waiting to get the rare Meebit. The vulnerability of the smart contract thus got exposed. They ended up selling their rare Meebit for 200 ETH, which was valued around $750K at that time.

When LarvaLabs became aware of it, they temporarily paused the Meebit minting. However, they stressed the contract was safe, and trading was working just fine. They were not wrong as the Meebits continued to be assigned randomly. Users could not have exploited the contract unless they were willing to invest a lot of time and gas charges for the same. By then, as such, the Meebit minting had come to an end.

Hashmasks

A bug was reported by samczsun in the Hashmasks art sale during the late stages. Unlike the above three, however, there was no damage and Hashmask was able to take remedial steps in time. Samczsun raised a flag about a potential bug in Masks.sol smart contract of hashmasks, in the mint NFT function.

Had an attacker been able to exploit the bug, they would have minted more than 16,384 Hashmasks. Somehow, the bug could not be discovered during the testing phase. Hashmasks awarded samczun with $12,500 USDC for the bug disclosure.

Vulnerabilities in smart contracts – a spotlight

Attackers have become smarter, and NFT projects must use adequate protection tools and conduct thorough audits of the smart contract. Some common bugs in smart contracts are transaction ordering dependence (TOD), timestamp dependency, and re-entrancy.

Wrapping up

When industry standards are still taking shape, smart contract auditing and penetration testing have emerged as two benchmarks for strong security in blockchain systems. For this purpose, there is no one better qualified than the blockchain engineers specializing in blockchain audits.

Though the prevalent practice in the NFT arena is to have smart contracts audited before the sale of tokens, some projects that are yet to raise funds may try to take the shortcut and skip this crucial phase. 

Such a misconceived step might prove fatal for your projects, resulting in all your funds getting drained, or there might be bugs manipulating buffer overflow to alter account balances. To ensure your project doesn’t become a repeat of CryptoPunks, Meebits, and MooncatRescue, settling for a smart contract audit is the most logical way out.

Reach out to QuillHash

Follow QuillHash for more updates.

Twitter | LinkedIn Facebook

1,023 Views

Related Articles

View All

Leave a Comment

Your email address will not be published.

Trending

🧵..

⚠️⚠️

Binance Smart Chain was compelled to suspend operations on Thursday due to a "potential exploit". The attacker moved over half million in cryptocurrency from the @binance -linked blockchain.

↓↓

⚠️⚠️

In one of the protocol's lending pools, an exploiter escaped with over 44 RBTC by employing a price manipulation method.

#cyberattacks

🧵..
↓↓

We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade.

We'd like to thank the community again for their continuous support.

⚠️⚠️

A spammer has caused havoc for Zcash node operators by filling transaction Blocks with a large number of shielded transaction outputs. Many believe this is a FUD designed to draw attention.

#cyberattacks

🧵🪡..

↓↓

🧵..

[MUST KNOW] Security Tips for Web3—

Don’t ever think it can’t happen to you🚫!

Don’t Rush⚡

In crypto, we all like to move fast, grab the most hyped thing to shell out millions in a minute.

But at the same time, we forget that we are the most vulnerable ones as well.

Load More

90 Types of Crypto Worth $160M Stolen 🚨

It was observed from the Omni bridge source code that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named uintStorage.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+