A web3 security company that offers smart contract audits to blockchain companies found itself on the receiving end of an exploitable flaw when two individuals stole hundreds of non-fungible tokens during the minting stage.
Rug Pull Finder acknowledged that two individuals took 450 NFTs out of a 1,221-NFT “Bad Guys” collection featuring art of scammers “causing mischief across the blockchain.”
The individuals exploited the “critical flaw” during the free mint of the company’s NFT project. It allowed them to bypass the project’s one-NFT-per-wallet rule and allocate hundreds of assets to themselves, Rug Pull Finder says.
The company said it did not take seriously an anonymous warning about the flaw, communicated to it 30 minutes before the project’s launch. “We made the determination that the flaw wasn’t going to affect us, which was obviously an error.”
The two individuals who took the NFTs are not hackers or scammers because “they didn’t do anything illegal” and only took advantage of a flaw the company overlooked, the company said. “While they may have found an advantage, this is not a hack or scam, etc. They found a bug, and they used it for profit,” the company says.
An NFT audits and crypto security researcher who goes by the pseudonym “NFTherder” on Twitter, was among the first to discover the flaw. “It is “concerning when security-minded projects like Rug Pull Finder get their Discord breached and their code exploited yet they’re offering those exact services to customers,” the researcher wrote.