In a rather ironic turn of events, an NFT company focused on identifying fraud in the Web3 space has fallen victim to a security breach.
Rug Pull Finder’s NFT contract was compromised last week, allowing two people to mint 450 NFTs instead of one per wallet. According to a Friday post on Twitter, the malicious actors exploited a technical flaw in the project’s free NFT mint that allowed them to mint more than the maximum number of NFTs per wallet.
Rug Pull Finder (RPF) tried to remedy the situation by offering one of the bad actors a bounty of 2.5 ETH (or about $3944 as of press time) to recover 300 of the stolen NFTs. One of the exploiters agreed, with the RPF team noting that the hackers “did negotiate in good faith and allow us to come to a reasonable solution with them.”
Dubbed “Bad Guys,” the free mint is a collection of “scammers accidentally let loose on the blockchain.” The collection is a whitelist for members ahead of an upcoming 10,000 NFT series this fall. Holding a Bad Guy NFT will provide exclusive access to the RPF’s main drop.
Meanwhile, the watchdog group was warned about the flaw. The group admitted that it had received an anonymous tip from an unknown source 30 minutes before its mint went live. “After reviewing it with three different dev teams, we did not believe the credibility of the information sent to us... We were clearly wrong, and we are truly, truly sorry,” RPF said.
The incident was met with mixed reactions from the crypto community. While some lauded the NFT investigator for admitting its fault, others questioned how a company that is supposed to detect Web3 fraud failed to conduct proper checks on its own project.