Smart Contract Auditing Firm Suffers Smart Contract ExploitBad Guys Haul 450 'Bad Guys' NFTs; Rug Pull Finder Buys Back Most Assets
A web3 security company that offers smart contract audits to blockchain companies found itself on the receiving end of an exploitable flaw when two individuals stole hundreds of non-fungible tokens during the minting stage.
The individuals exploited the "critical flaw" during the free mint of the company's NFT project. It allowed them to bypass the project's one-NFT-per-wallet rule and allocate hundreds of assets to themselves, Rug Pull Finder says.
"We messed up. We messed up big," the company said on Friday.
Rug Pull Finder said it did not audit the smart contracts created by Doxxed Media for this project. "Like dumba**es, we did not have our team audit it, or an independent 3rd party. This is definitely our fault," it says.
The company said it did not take seriously an anonymous warning about the flaw, communicated to it 30 minutes before the project's launch. "We made the determination that the flaw wasn't going to affect us, which was obviously an error."
The two individuals who took the NFTs are not hackers or scammers because "they didn't do anything illegal" and only took advantage of a flaw the company overlooked, the company said. "While they may have found an advantage, this is not a hack or scam, etc. They found a bug, and they used it for profit," the company says.
Rug Pull Finder paid them 2.5 ETH to "purchase the remaining 366 NFTs." It did not specify the status of the rest of the NFTs the two individuals took and did not immediately respond to Information Security Media Group's request for details.
The company, within the past weekend, raffled the NFTs involved in the incident for free, counting the money it paid the thieves "as a loss."
An NFT audits and crypto security researcher who goes by the pseudonym "NFTherder" on Twitter, was among the first to discover the flaw. "It is "concerning when security-minded projects like Rug Pull Finder get their Discord breached and their code exploited yet they're offering those exact services to customers," the researcher wrote.
The company "did not put checks and restrictions" in place to prevent the incident, the researcher told ISMG. "The checks still aren't there because they did not fix and redeploy [the code]. Instead, they decided to pay the mint abuser(s) a few thousand dollars and move on… They paid the bad actors they set out to fight with their watchdog group. Ironic."