Ethscriptions Protocol Suffers Setback as Marketplace Exploit Allows Theft of Over 200 Inscriptions
A critical vulnerability in the smart contract code powering the Ethscriptions marketplace allowed the theft of over 200 rare digital collectibles created using the novel Ethscriptions protocol.
Ethscriptions founder Tom Lehman took to Twitter on Friday expressing dismay over the "bumpy landing," stating that around 123 Ethereum addresses lost approximately 202 ethscriptions due to an exploit in the marketplace's smart contract.
The ethscriptions stolen include some of the rarest and most valuable from the protocol's early days, with Lehman specifically lamenting the loss of Ethscription #56. Early ethscriptions often carry prestige and high value similar to low mint number NFTs.
While the total dollar value stolen is unclear, some ethscriptions have sold for up to 5 ETH each, or around $9,600 over the past month according to NFT data site OpenSea. So the losses could easily tally into the six figures.
Lehman explained that a code snippet in the marketplace contract allowed users to withdraw ethscriptions they didn't actually own. This critical mistake allowed thieves to easily empty accounts of rare collectibles.
Lehman took full responsibility for the failure, admitting he and his team fell on their faces regarding the marketplace contract. He said the purpose of the marketplace was to showcase ethscriptions and help kickstart an ecosystem of applications leveraging the protocol.
Unfortunately, flaws in the marketplace contract undermined these goals while also harming early adopters who acquired rare ethscriptions. Lehman said his team is now focused on making necessary changes to the protocol and relaunching the marketplace after addressing the vulnerabilities.
Ethscriptions are not traditional NFTs. Rather than being tokens issued by smart contracts, ethscriptions leverage transaction calldata to write arbitrary data directly to the Ethereum blockchain. This novel approach saves fees and allows more creativity than NFTs.
The Ethscriptions protocol itself remains intact following the marketplace exploit. Only the ethscriptions.com marketplace was impacted. However, the incident may slow adoption of ethscriptions as developers address security concerns.
Lehman admitted that minimizing smart contract storage can introduce challenges that require strategic thinking around access control and permissions. His team failed to adequately address these issues in the initial marketplace contract.
While coding mistakes are understandable in novel tech like ethscriptions, the incident highlights the importance of rigorous auditing and testing for protocols handling high value digital assets. Developers also need to take measures to mitigate losses from bugs, like centralized pause buttons.
The ethscriptions team has warned users not to list new ethscriptions on the compromised marketplace contract. Lehman says his team is communicating with victims and working quickly to enhance security and restore trust after this painful setback.
While ethscriptions offer exciting potential for decentralized creativity, developers must prioritize air-tight code to avoid eroding user confidence. The lessons from this exploit will help ethscriptions and other emerging protocols enhance reliability as they seek mainstream adoption.
The crypto community remains eager to support innovative disruption. However, people will not embrace new paradigms unless their assets are protected against defects. Rigorous best practices must become the norm as users now have low tolerance for mistakes.
While damaging, the ethscriptions marketplace exploit offers a teaching moment for strengthening the decentralized future. Ethical developers focused on accountability and transparency can still build trust amid setbacks. But impervious code must match lofty ideals for projects to succeed long-term. If developers uphold their duty of care, users will stand by them.
