NFT watchdog Rug Pull Finder has its NFT giveaway hacked

Two con artists were able to mint 450 NFTs instead of one per wallet because of misuse of the Rug Pull Finder NFT contract.

In an ironic turn of events, Rug Pull Finder (RPF), a nonfungible token (NFT) watchdog dedicated to exposing Web3-based fraud, was itself the victim of a smart contract flaw.

Two individuals stole 450 NFTs out of a possible 1,221 that were supposed to be limited to one per wallet due to a technical defect in the project, according to the NFT investigator’s post on Twitter on September 2.

As discussed on our Twitter space’s earlier today –

We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.

Here is what we are doing to fix it 🧵

— Rug Pull Finder (@rugpullfinder) September 2, 2022

RPF claims that its smart contract had a bug that allowed code to be abused, enabling the bandits to give themselves access to more NFTs than was permitted.

The RPF team took action to address the issue shortly after the exploit, making an offer to one of the parties involved to pay them a bounty of 2.5 ETH (worth $3,944.68 at the time of writing) in exchange for finding 330 of the NFTs. This offer was accepted.

The exploiters “did negotiate in good faith and allowed us to get to an acceptable arrangement with them,” according to the crypto detectives.

The “Bad Guys” free mint included artwork created by NFT “scammers mistakenly let wild on the network.”

Prior to the impending 10,000 NFT collection this fall, the collection serves as a whitelist or presale for members.

Exclusive access to the mint, the RPF major drop, and other forthcoming projects is available when holding a bad guy NFT.

Alerts disregarded

The monitoring group said that the attack happened because they disregarded warnings about the bug supplied by an unidentified source 30 minutes before the mint went live.

“After reviewing it with three different dev teams, we did not believe the credibility of the information sent to us… We were clearly wrong, and we are truly, truly sorry,” RPF said.

As discussed on our Twitter space’s earlier today –

We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.

Here is what we are doing to fix it 🧵

— Rug Pull Finder (@rugpullfinder) September 2, 2022

Doxxed Media, a digital blockchain creative studio, was cited by the NFT investigator as having handled all of the contract and artwork, and it acknowledged that it “did not have our team audit it, or an independent 3rd party.”

The irony of the exploit has not escaped the attention of the cryptocurrency community, with some applauding the NFT investigator for admitting its mistake while others have questioned why a business that specializes in finding smart contract vulnerabilities didn’t perform the necessary checks on its own project.

I think its concerning when security minded projects like RugPullFinder get their discord breached and their code exploited yet they’re offering those exact services to customers. What do you think? pic.twitter.com/zJRWUXqic5

— OKHotshot (@NFTherder) September 2, 2022

Despite the rocky beginning, RPF was able to restart its NFT project.

RPF has chosen to disperse the recovered NFTs in a number of places after consulting with their online community, including the “Bad Guys Vault,” a Twitter raffle, two further raffles for projects that are friends of Rug Pull Finder, and the Rug Pull Finder public sale wallet collection list.