Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Read Time: 4 minutes

On the way to launch an NFT project? Well, here are some statistics that will delight you!

As per a report from Fox News, NFTs reached a sales volume of $2.5 billion this year in the initial six months! This was right after hitting a total of $13.7 million in 2020. OpenSea in June recorded $125 Million worth of NFT sales. As per NonFungible.com, nearly 20K buyers have bought NFTs every week since March on the Ethereum blockchain. This even outnumbered the number of sellers.

However, the whopping rise doesn’t mean NFTs are free of issues. NFTs are built on smart contracts that are prone to exploitation and hacking. According to Bitcoin News, 25% of all smart contracts have critical bugs. Apart from these, other contracts are also likely to contain bugs of various types and severity levels. Developers, often working in a hurry or because of a lack of knowledge, may create faulty contracts, which might cause the loss of millions of dollars to the project promoters.

Leave a bug untraced, and even a billion dollars you have accumulated will give you no protection against bugs.

Let us throw light on the three popular NFT projects that experienced fatal outcomes due to bugs and mischievous tweaks:


In 2017, just after the arrival of CryptoPunks and before the launch of CryptoKitties, two developers known as ‘Ponderware’ created blockchain-collectible cats. Known as MoonCatRescue, it started on a flawed note. Its erroneous smart contract resulted in the loss of some ETH before they could resolve the issue. Here’s how things turned out to be:

MoonCats planned to collect ether from the sale of the genesis cats. However, a fix during the QA process culminated in the permanent locking of these funds.

When a user adopted the MoonCat, the piece-code `transferCat(catId, catOwners[catId], msg.sender, offer.price)’ moved the funds to `require(catOwners[catId] != 0x0)’. It is a kind of issue that should have been reasonably resolved in the testing phase. However, it didn’t happen, and the project lost out on a fair amount of ETH.


Launched in 2017 as the first NFT project, CryptoPunks was adversely affected when it was suffering from a severe bug that led to the non-receipt of payments despite the sales. The bug was found after all of the 10,000 Punks were traded, and the secondary market started functioning.

Larva Labs, the creators of CryptoPunks, zeroed in on testing quality in the pre-launch phase for this issue. John Watkinson, the co-founder of CryptoPunks, posted a Twitter thread to clarify this bug issue comprehensively. Subsequently, Larva Labs re-launched this project with an updated smart contract. They also brought in the V1 punks as V1 CryptoPunks ERC-721 wrapper.


Also, a project of LarvaLabs came up with its new project with the name ‘Meebits.’ It involved minting Meebits with random traits. The users attempted to find a Meebit that was rare. The project was thought to be functioning perfectly well; however, some users exploited the loopholes to deceive the system and find the traits to obtain the Meebit they desired.

A user named ‘0xNietzsche’ rode Meebits’ process, using it to his advantage. There was an archived file in Meebits’ smart contract to demonstrate the status of every token ID. Users were allowed to execute Meebit generation and cancel the same if it wasn’t found to be rare. This was possible using a comparison of the traits file.

0xNietzsche took the pains of initiating over 300 transactions for testing this loophole. Each Meebit was canceled in case it wasn’t carrying rare traits. 300+ transactions later, he and his associates finally came across a rare Meebit (#16647). It was discovered how he had to shell out $20K every hour in gas charges while waiting to get the rare Meebit. The vulnerability of the smart contract thus got exposed. They ended up selling their rare Meebit for 200 ETH, which was valued around $750K at that time.

When LarvaLabs became aware of it, they temporarily paused the Meebit minting. However, they stressed the contract was safe, and trading was working just fine. They were not wrong as the Meebits continued to be assigned randomly. Users could not have exploited the contract unless they were willing to invest a lot of time and gas charges for the same. By then, as such, the Meebit minting had come to an end.


A bug was reported by samczsun in the Hashmasks art sale during the late stages. Unlike the above three, however, there was no damage and Hashmask was able to take remedial steps in time. Samczsun raised a flag about a potential bug in Masks.sol smart contract of hashmasks, in the mint NFT function.

Had an attacker been able to exploit the bug, they would have minted more than 16,384 Hashmasks. Somehow, the bug could not be discovered during the testing phase. Hashmasks awarded samczun with $12,500 USDC for the bug disclosure.

Vulnerabilities in smart contracts – a spotlight

Attackers have become smarter, and NFT projects must use adequate protection tools and conduct thorough audits of the smart contract. Some common bugs in smart contracts are transaction ordering dependence (TOD), timestamp dependency, and re-entrancy.

Wrapping up

When industry standards are still taking shape, smart contract auditing and penetration testing have emerged as two benchmarks for strong security in blockchain systems. For this purpose, there is no one better qualified than the blockchain engineers specializing in blockchain audits.

Though the prevalent practice in the NFT arena is to have smart contracts audited before the sale of tokens, some projects that are yet to raise funds may try to take the shortcut and skip this crucial phase. 

Such a misconceived step might prove fatal for your projects, resulting in all your funds getting drained, or there might be bugs manipulating buffer overflow to alter account balances. To ensure your project doesn’t become a repeat of CryptoPunks, Meebits, and MooncatRescue, settling for a smart contract audit is the most logical way out.


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+