Rug Pull Finder (RPF), a nonfungible token (NFT) watchdog that focuses on identifying Web3-based fraud, has become a victim of a smart contract exploit of its own, which is an ironic turn of events.
According to a post that the NFT investigator made on Twitter on September 2, he or she discovered that two people had taken advantage of a technical flaw in the project during the free mint stage. These individuals stole 450 NFTs out of a possible 1,221 NFTs, which were supposed to be limited to one per wallet.
According to RPF, their smart contract contained a flaw that allowed the code to be exploited. This gave the bandits the ability to allocate more NFTs than the maximum that was permitted.
As discussed on our Twitter space's earlier today –
We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.
Here is what we are doing to fix it 🧵
— Rug Pull Finder (@rugpullfinder) September 2, 2022
The RPF team moved quickly to correct the situation after the exploit was discovered. They made a deal with one of the people involved to pay them a bounty of 2.5 ether (ETH), which was worth $3,944.68 at the time this article was written, if they could recover 330 of the NFTs. This deal was accepted.
The crypto investigators made note of the fact that the exploiters “did negotiate in good faith and allowed us to come up with a reasonable solution with them.”
“Bad Guys,” the name of the free mint, featured artworks of NFT “scammers accidentally let loose on the blockchain.”
Before the upcoming 10,000 NFT collection that will take place in the fall, this collection acts as a whitelist or presale for members.
When you hold a Bad Guy NFT, you gain access to a variety of upcoming projects as well as the mint and the RPF main drop.
Warnings were disregarded.
The watchdog group has admitted that the exploit took place because they failed to heed warnings from an unknown source about the potential flaws that were sent thirty minutes before the mint went live.
“After discussing it with three separate development teams, we came to the conclusion that the information that had been sent to us was not credible… We recognise that we were in the wrong and extend our sincerest apologies.”
The NFT investigator mentioned that the art and contract work was handled by the digital blockchain creative agency Doxxed Media, and they “did not have our team audit it, or an independent 3rd party.”
I think its concerning when security minded projects like RugPullFinder get their discord breached and their code exploited yet they're offering those exact services to customers. What do you think? pic.twitter.com/zJRWUXqic5
— OKHotshot (@NFTherder) September 2, 2022
The irony of the exploit has not been lost on the cryptocurrency community, with some members praising the NFT investigator for admitting to its fault and others questioning how a company that specialises in detecting smart contract vulnerabilities did not conduct the proper checks on its own project. The crypto community has not been blind to the irony of the exploit.
However, despite the shaky beginning, RPF has been successful in getting their NFT project back on the right track.
RPF has made the decision to distribute the recovered NFTs across a variety of spaces after consulting with their online community. These spaces include the “Bad Guys Vault,” a raffle on Twitter, and two additional raffles for projects that are friends of Rug Pull Finder as well as the Rug Pull Finder public sale wallet collection list. RPF has decided to do this after consulting with their online community.