NFT watchdog Rug Pull Finder gets to take advantage of his own NFT gift
In an ironic twist, Rug Pull Finder (RPF), a nonfungible token (NFT) watchdog focused on identifying Web3-based fraud, has fallen victim to a smart contract exploit of its own.
According to the NFT investigator’s post on Twitter on September 2nd, two people exploited a technical flaw in the project during the free coin stage – stealing 450 NFTs out of a possible 1,221 that were supposed to be limited to one per wallet.
As discussed on our Twitter space earlier today –
We messed up. We made a big mess. Our contract had a bug that allowed 2 people to accumulate over 450 NFTs.
Here’s what we’re doing to fix it
— Rug Pull Finder (@rugpullfinder) 2 September 2022
According to RPF, their smart contract had a bug that saw the code exploited, allowing the bandits to allocate more than the allowed number of NFTs.
The RPF team moved to remedy the situation soon after the exploit, offering one of those involved a deal to pay them a bounty of 2.5 Ether (ETH) (worth $3,944.68 at the time of writing) to recover 330 of the NFTs, which were accepted.
The crypto investigators noted that the exploiters “negotiated in good faith and allowed us to reach a reasonable settlement with them.”
The free coin, titled “Bad Guys” featured artwork by NFT “fraudsters who accidentally let loose on the blockchain.”
The collection acts as a whitelist or pre-sale for members before the upcoming 10,000 NFT collection this fall.
Holding a Bad Guy NFT provides exclusive access to the coin, the RPF main drop and other upcoming projects.
Warnings ignored
The watchdog group admitted that the exploit happened because they ignored warnings from an unknown source about potential bugs that were sent 30 minutes before the coin went live.
“After reviewing it with three different development teams, we didn’t believe the credibility of the information that was sent to us… We were obviously wrong, and we’re really, really sorry.”
Admitting a mess is rare and responsible. Well done RPF. You should be praised. In the last few months I have seen token contracts with bugs, bad code and yesterday suspect code that anyone can take advantage of and not one of those developers said what you just said
— Fiken (@CryptoRoog) 2 September 2022
The NFT investigator pointed to digital blockchain creative agency Doxxed Media as having handled all the art and contract work, and they “have not had our team audit it, or an independent third party.”
The irony of the exploit has not been missed by the crypto community, with some praising the NFT investigator for admitting his mistake, while others have questioned how a company specializing in detecting vulnerabilities in smart contracts did not perform the proper checks on its own project.
I think it’s worrisome when security-oriented projects like RugPullFinder get contentiously broken and the code exploited, but they offer exactly those services to customers. What do you think? pic.twitter.com/zJRWUXqic5
— OKHotshot (@NFTherder) 2 September 2022
However, after the shaky start, RPF has managed to get the NFT project back on track.
Related: How do you choose your next NFT? The community responds
Through consultation with their online community, RPF has decided to distribute the recovered NFTs in a number of areas, including in the “Bad Guys Vault”, a raffle on Twitter, and two additional raffles for projects that are friends of Rug Pull Finder and Rug Pull Finder collection list for public sale of wallets.
