In an ironic twist, Rug Pull Finder (RPF), a nonfungible token (NFT) watchdog focused on identifying Web3-based fraud, has fallen victim to a smart contract exploit of its own.
According to the NFT investigator’s post on Twitter on Friday, two people exploited a technical flaw in the project during the free mint stage — pilfering 450 NFTs out of a possible 1,221, which were intended to be limited to one per wallet.
As discussed on our Twitter space’s earlier today –
We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.
Here is what we are doing to fix it
— Rug Pull Finder (@rugpullfinder) September 2, 2022
According to RPF, their smart contract had a flaw that allowed the code to be exploited, allowing the bandits to allocate more than the allowed number of NFTs to themselves.
The RPF team made moves to rectify the situation soon after the exploit, offering one of the people involved a deal to pay them a bounty of 2.5 Ether (ETH), worth $3,944.68 at the time of writing, to recover 330 of the NFTs, which was accepted.
The crypto investigators noted that the exploiters “did negotiate in good faith and allow us to come to a reasonable solution with them.”
The free mint, titled Bad Guys, featured artworks of NFT “scammers accidentally let loose on the blockchain.”
The collection serves as a whitelist or presale for members before the upcoming 10,000 NFT collection this fall.
Holding a Bad Guy NFT provides exclusive access to the mint, the RPF main drop, and other upcoming projects.
The watchdog group admitted that the exploit occurred as they didn’t heed warnings from an unknown source about the flaw, which was sent 30 minutes before the mint went live.
“After reviewing it with three different dev teams, we did not believe the credibility of the information sent to us… We were clearly wrong, and we are truly, truly sorry,” RPF said.
Admitting a mess up is rare and accountable. Bravo RPF. You are to be commended. The last few months I…