As bad actors continue to perform hit-and-run attacks on projects in the crypto space, it was inevitable that watchdogs, auditors, and the like would also become more sought after.
One such auditor is Rug Pull Finder, an NFT watchdog who investigates alleged scams upon request and attempts to keep the community updated via Twitter.
Unfortunately, it seems that the community failed to audit some of the protocol’s own work before minting its own NFT collection.
Whitelist Mint Compromised
Recently, RPF decided to mint a collection of NFTs called “Bad Guys,” meant to represent NFT scammers in various tongue-in-cheek situations. This digital art was meant to serve as a whitelist for another NFT drop coming later this autumn. Due to the intended function as a whitelist, minting was supposed to be limited to one per wallet.
Unfortunately for RPF, the mint was compromised by exploiters who managed to get over 450 NFTs out of a total of 1,221 in short order.
As discussed on our Twitter space’s earlier today –
We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.
Here is what we are doing to fix it 🧵
— Rug Pull Finder (@rugpullfinder) September 2, 2022
The devs responsible for the kerfuffle have apparently been let go in the meantime. The team at Rug Pull Finder has also admitted to the failure to invite an independent third party to audit the project, resulting in the compromised whitelist mint. However, the team has already reached out to the exploiters, who have apparently acted in good faith and come to some kind of agreement with RPF.
NFTs Mostly Returned to RPFs Possession
Out of the 450 NFTs minted via an exploit, 366 will be returned to RPF shortly in exchange for 2.5 ETH.
“We have reached an agreement with the wallets that took advantage of the contract, agreeing to pay them 2.5ETH to purchase the remaining 366 NFTs. While they may have found an advantage, this is not a hack or scammers, etc. They found a bug, and they used it for profit”.
Although this is a significant blow to the project – and to their reputation as auditors – this should ensure the main mint coming this autumn would be able to go ahead as planned.
The community has, on one hand, praised RPF for the transparency and quick resolution of the issue and, on the other hand, made light of the situation – with the irony of an auditor failing to adhere to basic auditing protocols not lost on its Twitter followers.
The remaining exploited 84 NFTs will, for now, remain in the possession of the bug exploiters.