NFT scams and attacks have seen investors lose more than US$86 million this year alone, according to data from Comparitech.
So, when a company known as Rug Pull Finder, which markets itself as providing services to help combat scams, fraud and hacks in the crypto industry, ended up having its own NFT project hacked, some pretty strong criticism ensued.
What happened to Rug Pull Finder?
Late last week, Rug Pull Finder launched their own NFT project, titled Bad Guys, which is based on a series of nefarious cartoon characters who go around stealing NFTs. In a turn of events that can only be described as brutally ironic, the Bad Guys NFT project was itself exploited during the free mint stage due to a flaw in its smart contract.
As a result, two users managed to mint 450 NFTs, instead of the allocated one per user.
The news of Rug Pull Finder’s flaw first came to light after a blockchain security analyst known on Twitter as OKHotshot posted a brief explanation of how the NFT project was taken advantage of. OKHotshot said that, “Rug Pull Finder’s NFT contract was ‘abused’ to mint 400 NFTs instead of 1 per wallet, [because] the mint function is missing the required checks.”
OKHotshot clarified that while the debacle was “not a hack or technically an exploit”, since it was caused by a bug in the project’s smart contract itself, they still found it “concerning” that projects like Rug Pull Finder could be offering such services.
Rug Pull Finder co-founder pushes back at critics
In an interview with The Chainsaw, the co-founder of NFT Rug Pull Finder, Nik Horniacek, was upfront about the details of the event and immediately acknowledged its irony.
“It’s definitely ironic that we have audited over 30 smart contracts, including some extremely successful projects, but did not have our contract properly audited. These oversights are what lead to dozens of similar situations across various projects every week,” Horniacek admitted.
Horniacek explained that the attacker responsible, who can be identified by a wallet titled coordinatedrpcattack.eth, had done this before, as they “clearly look to find exploits like what [Rug Pull Finder] experienced and take advantage of them”.
In an apologetic Twitter thread, the Rug Pull Finder account wrote, “An exploit was shared with us 30 minutes before mint went live. After reviewing it with three different dev teams, we did not believe the credibility of the information sent to us… We were clearly wrong, and we are truly truly sorry”.
Horniacek went on to say that the criticism that Rug Pull Finder has received from OKHotshot and the broader crypto community is fundamentally unjustified.
“I do find it fascinating that some people, like @OKHotshot, and projects we’ve called scams in the past, are using this event to discredit the investigative work we’ve done to make the space safer,” he said.
“Our core team are fraud fighters and OSINT-focused, not developers. We’ve reported over $2.4 billion of fraud since Dec 2021,” Horniacek added.
NFT Scam: What happens to Rug Pull Finder now?
Rug Pull Finder announced they had reached an agreement with the users who “abused” the flaw in the mint function, and purchased the 366 NFTs the pair still held for 2.5 ETH (US$3,923).
Following the successful return of the NFTs, the team at Rug Pull Finder decided to redistribute the NFTs by raffling off 10 of them on Twitter spaces, adding 17 to the Bad Guys Vault, and raffling off the remaining 303 in a mix of public sales and allocations to future projects.
Horniacek said that while the Rug Pull Finder team is still very much “reeling from the event,” it has allowed them to “prove what we preach to founders and communities every single day – projects and businesses make mistakes, it’s inevitable.”
“The key is transparency and accountability.”
Horniacek said that moving forward, the Rug Pull Finder team aren’t going anywhere, instead asserting that they’re, “only just getting started.”