Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Unforgettable NFT Smart Contracts Exploits

Read Time: 4 minutes

On the way to launch an NFT project? Well, here are some statistics that will delight you!

As per a report from Fox News, NFTs reached a sales volume of $2.5 billion this year in the initial six months! This was right after hitting a total of $13.7 million in 2020. OpenSea in June recorded $125 Million worth of NFT sales. As per NonFungible.com, nearly 20K buyers have bought NFTs every week since March on the Ethereum blockchain. This even outnumbered the number of sellers.

However, the whopping rise doesn’t mean NFTs are free of issues. NFTs are built on smart contracts that are prone to exploitation and hacking. According to Bitcoin News, 25% of all smart contracts have critical bugs. Apart from these, other contracts are also likely to contain bugs of various types and severity levels. Developers, often working in a hurry or because of a lack of knowledge, may create faulty contracts, which might cause the loss of millions of dollars to the project promoters.

Leave a bug untraced, and even a billion dollars you have accumulated will give you no protection against bugs.

Let us throw light on the three popular NFT projects that experienced fatal outcomes due to bugs and mischievous tweaks:


In 2017, just after the arrival of CryptoPunks and before the launch of CryptoKitties, two developers known as ‘Ponderware’ created blockchain-collectible cats. Known as MoonCatRescue, it started on a flawed note. Its erroneous smart contract resulted in the loss of some ETH before they could resolve the issue. Here’s how things turned out to be:

MoonCats planned to collect ether from the sale of the genesis cats. However, a fix during the QA process culminated in the permanent locking of these funds.

When a user adopted the MoonCat, the piece-code `transferCat(catId, catOwners[catId], msg.sender, offer.price)’ moved the funds to `require(catOwners[catId] != 0x0)’. It is a kind of issue that should have been reasonably resolved in the testing phase. However, it didn’t happen, and the project lost out on a fair amount of ETH.


Launched in 2017 as the first NFT project, CryptoPunks was adversely affected when it was suffering from a severe bug that led to the non-receipt of payments despite the sales. The bug was found after all of the 10,000 Punks were traded, and the secondary market started functioning.

Larva Labs, the creators of CryptoPunks, zeroed in on testing quality in the pre-launch phase for this issue. John Watkinson, the co-founder of CryptoPunks, posted a Twitter thread to clarify this bug issue comprehensively. Subsequently, Larva Labs re-launched this project with an updated smart contract. They also brought in the V1 punks as V1 CryptoPunks ERC-721 wrapper.


Also, a project of LarvaLabs came up with its new project with the name ‘Meebits.’ It involved minting Meebits with random traits. The users attempted to find a Meebit that was rare. The project was thought to be functioning perfectly well; however, some users exploited the loopholes to deceive the system and find the traits to obtain the Meebit they desired.

A user named ‘0xNietzsche’ rode Meebits’ process, using it to his advantage. There was an archived file in Meebits’ smart contract to demonstrate the status of every token ID. Users were allowed to execute Meebit generation and cancel the same if it wasn’t found to be rare. This was possible using a comparison of the traits file.

0xNietzsche took the pains of initiating over 300 transactions for testing this loophole. Each Meebit was canceled in case it wasn’t carrying rare traits. 300+ transactions later, he and his associates finally came across a rare Meebit (#16647). It was discovered how he had to shell out $20K every hour in gas charges while waiting to get the rare Meebit. The vulnerability of the smart contract thus got exposed. They ended up selling their rare Meebit for 200 ETH, which was valued around $750K at that time.

When LarvaLabs became aware of it, they temporarily paused the Meebit minting. However, they stressed the contract was safe, and trading was working just fine. They were not wrong as the Meebits continued to be assigned randomly. Users could not have exploited the contract unless they were willing to invest a lot of time and gas charges for the same. By then, as such, the Meebit minting had come to an end.


A bug was reported by samczsun in the Hashmasks art sale during the late stages. Unlike the above three, however, there was no damage and Hashmask was able to take remedial steps in time. Samczsun raised a flag about a potential bug in Masks.sol smart contract of hashmasks, in the mint NFT function.

Had an attacker been able to exploit the bug, they would have minted more than 16,384 Hashmasks. Somehow, the bug could not be discovered during the testing phase. Hashmasks awarded samczun with $12,500 USDC for the bug disclosure.

Vulnerabilities in smart contracts – a spotlight

Attackers have become smarter, and NFT projects must use adequate protection tools and conduct thorough audits of the smart contract. Some common bugs in smart contracts are transaction ordering dependence (TOD), timestamp dependency, and re-entrancy.

Wrapping up

When industry standards are still taking shape, smart contract auditing and penetration testing have emerged as two benchmarks for strong security in blockchain systems. For this purpose, there is no one better qualified than the blockchain engineers specializing in blockchain audits.

Though the prevalent practice in the NFT arena is to have smart contracts audited before the sale of tokens, some projects that are yet to raise funds may try to take the shortcut and skip this crucial phase. 

Such a misconceived step might prove fatal for your projects, resulting in all your funds getting drained, or there might be bugs manipulating buffer overflow to alter account balances. To ensure your project doesn’t become a repeat of CryptoPunks, Meebits, and MooncatRescue, settling for a smart contract audit is the most logical way out.


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More

Blockchain’s Privacy Frontier: zk-STARKs vs zk-SNARKs Explained

Read Time: 7 minutes Introduction  In 2022, Epic Games CEO Tim Sweeney expressed that zero-knowledge proofs (ZKPs) would be a crucial aspect of blockchain technology in the future. ZKPs
Read More

Web3 Security Essentials: Understanding and Protecting Unique Identifiers

Read Time: 9 minutes Web3 has transformed our identities into vital components of online interactions, transactions, and connections. Unique Identifiers (UIDs) address privacy, security, and data control challenges, securing
Read More

Navigating Smart Contract Risks and Best Practices

Read Time: 9 minutes The concept of decentralization in DeFi may mask the real risks that both experienced and new investors might encounter. Smart contracts, critical to DeFi platforms,
Read More

What Is Nakamoto Consensus? The Mechanism That Powers Bitcoin  

Read Time: 7 minutes Introduction Imagine a lively market where diverse people trade things and services, relying on trust and openness. The key challenge is to secure the integrity
Read More

NFT Security 101: Common Vulnerabilities and Major NFT Hacks

Read Time: 6 minutes According to statista.com projections, the non-fungible token (NFT) market is expected to experience significant growth in terms of both revenue and user engagement. The NFT
Read More

Radiant Capital Hack Analysis

Read Time: 7 minutes Decoding the Radiant Capital Heist: A Comprehensive Analysis of the $4.5 Million Cyberattack Summary On January 3, 2024, Radiant Capital, a cross-chain lending protocol on
Read More

Demystifying Shared Sequencing

Read Time: 7 minutes Introduction  In the rapidly evolving sphere of blockchain technology, a significant spotlight has been cast on Layer 2 scaling solutions, particularly as a response to
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+