Rug Pull Finder’s NFT contract was abused by two scammers and 450 NFTs were stolen per wallet.
Rug Pull Finder (RPF), an NFT watchdog focused on web3-based fraud identification has fallen victim to a smart contract exploit of its own.
According to the NFT investigator’s post on Twitter on September 2, two hackers exploited a technical vulnerability in the project at the free mint stage and stole 450 NFTs out of a total of 1,221 in each wallet.
As discussed on our Twitter space's earlier today –
We messed up. We messed up big. Our contract had a flaw that allowed 2 people to scoop up over 450 NFTs.
Here is what we are doing to fix it 🧵
— Rug Pull Finder (@rugpullfinder) September 2, 2022
According to RPF, their smart contract has a vulnerability that causes the code to be exploited, allowing the hijacker to allocate more than the number of NFTs allow.
The RPF team made moves to rectify the situation shortly after the incident, asking one of the people involved in the deal to pay them a bonus of 2.5 Ether (ETH) (worth $3,944.68 at the time of writing) to recover 330 NFTs. This offer was accepted.
The watchdog group acknowledged that the mining occurred because it did not heed alerts from an unknown source about potential vulnerabilities sent 30 minutes before the mint went live.
The NFT investigator pointed out that the digital blockchain creation agency Doxxed Media handled all the contracts, and they did not go through the inspection of the management team.
Despite a bad start, RPF managed to get their NFT project on the right track.
Through consultation with their online community, RPF has decided to distribute the recovered NFTs across various spaces, including in the “Bad Guys Vault”. After that, a few debates erupted on Twitter around Rug Pull Finder and its Public Wallet List.