Researchers from Rug Pull Finder (RPF) reported an exploit in its own smart contract that allowed two attackers to mint 450 project NFTs in their wallets for free, instead of one.
According to the team, the hackers created an additional chain in the tool for free minting of Bad Guys. Using it, RPF selected users for the presale of the autumn-planned collection of 10,000 NFTs. Owning Bad Guys tokens also granted access to other upcoming projects.
In total, the smart contract allowed 1,221 tokens to be issued—one per wallet. However, the vulnerability enabled the attackers to increase the allowed number of NFTs.
After discovering the incident, RPF arranged with one of the hackers to pay a reward of 2.5 ETH (about $3,950 at the time of writing) to recover 330 NFTs.
The watchdog group acknowledged that 30 minutes before the launch of Bad Guys, an unknown source warned them about the vulnerability, but they ignored it.
«After checking with three different development teams, we did not believe the information sent to us was credible. We were clearly mistaken, and we are very sorry,» said RPF.
The smart-contract was developed by blockchain agency Doxxed Media. RPF acknowledged that neither it nor any independent third party had conducted a code audit.
After consulting with the community, the team decided to distribute the recovered NFTs. Some will be returned to the Bad Guys treasury, others will be given away on Twitter and among the project’s friends.
Elliptic analysts reported in August that since 2017, criminals laundered over $8 million through NFT marketplaces, accounting for 0.02% of total trading volume.
According to them, from July 2021 to July 2022, tokens worth more than $100 million were stolen.
The most popular tool for laundering funds obtained from NFT-related fraud was the cryptocurrency mixer Tornado Cash.
Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.