Unforgettable NFT Smart Contract Exploits

NFT smart contract exploits in the recent past.

Table of Contents

Read Time: 5 minutes

On the way to launch an NFT project? Well, here are some statistics that will delight you!

As per a report from Fox News, NFTs reached a sales volume of $2.5 billion this year in the initial six months! This was right after hitting a total of $13.7 million in 2020. OpenSea in June recorded $125 Million worth of NFT sales. As per NonFungible.com, nearly 20K buyers have bought NFTs every week since March on the Ethereum blockchain. This even outnumbered the number of sellers.

However, the whopping rise doesn’t mean NFTs are free of issues. NFTs are built on smart contracts that are prone to exploitation and hacking. According to Bitcoin News, 25% of all smart contracts have critical bugs. Apart from these, other contracts are also likely to contain bugs of various types and severity levels. Developers, often working in a hurry or because of a lack of knowledge, may create faulty contracts, which might cause the loss of millions of dollars to the project promoters.

Leave a bug untraced, and even a billion dollars you have accumulated will give you no protection against bugs.

Let us throw light on the three popular NFT projects that experienced fatal outcomes due to bugs and mischievous tweaks:


In 2017, just after the arrival of CryptoPunks and before the launch of CryptoKitties, two developers known as ‘Ponderware’ created blockchain-collectible cats. Known as MoonCatRescue, it started on a flawed note. Its erroneous smart contract resulted in the loss of some ETH before they could resolve the issue. Here’s how things turned out to be:

MoonCats planned to collect ether from the sale of the genesis cats. However, a fix during the QA process culminated in the permanent locking of these funds.

When a user adopted the MoonCat, the piece-code `transferCat(catId, catOwners[catId], msg.sender, offer.price)’ moved the funds to `require(catOwners[catId] != 0x0)’. It is a kind of issue that should have been reasonably resolved in the testing phase. However, it didn’t happen, and the project lost out on a fair amount of ETH.


Launched in 2017 as the first NFT project, CryptoPunks was adversely affected when it was suffering from a severe bug that led to the non-receipt of payments despite the sales. The bug was found after all of the 10,000 Punks were traded, and the secondary market started functioning.

Larva Labs, the creators of CryptoPunks, zeroed in on testing quality in the pre-launch phase for this issue. John Watkinson, the co-founder of CryptoPunks, posted a Twitter thread to clarify this bug issue comprehensively. Subsequently, Larva Labs re-launched this project with an updated smart contract. They also brought in the V1 punks as V1 CryptoPunks ERC-721 wrapper.


Also, a project of LarvaLabs came up with its new project with the name ‘Meebits.’ It involved minting Meebits with random traits. The users attempted to find a Meebit that was rare. The project was thought to be functioning perfectly well; however, some users exploited the loopholes to deceive the system and find the traits to obtain the Meebit they desired.

A user named ‘0xNietzsche’ rode Meebits’ process, using it to his advantage. There was an archived file in Meebits’ smart contract to demonstrate the status of every token ID. Users were allowed to execute Meebit generation and cancel the same if it wasn’t found to be rare. This was possible using a comparison of the traits file.

0xNietzsche took the pains of initiating over 300 transactions for testing this loophole. Each Meebit was canceled in case it wasn’t carrying rare traits. 300+ transactions later, he and his associates finally came across a rare Meebit (#16647). It was discovered how he had to shell out $20K every hour in gas charges while waiting to get the rare Meebit. The vulnerability of the smart contract thus got exposed. They ended up selling their rare Meebit for 200 ETH, which was valued around $750K at that time.

When LarvaLabs became aware of it, they temporarily paused the Meebit minting. However, they stressed the contract was safe, and trading was working just fine. They were not wrong as the Meebits continued to be assigned randomly. Users could not have exploited the contract unless they were willing to invest a lot of time and gas charges for the same. By then, as such, the Meebit minting had come to an end.


A bug was reported by samczsun in the Hashmasks art sale during the late stages. Unlike the above three, however, there was no damage and Hashmask was able to take remedial steps in time. Samczsun raised a flag about a potential bug in Masks.sol smart contract of hashmasks, in the mintNFT function.

Had an attacker been able to exploit the bug, they would have minted more than 16,384 Hashmasks. Somehow, the bug could not be discovered during the testing phase. Hashmasks awarded samczun with $12,500 USDC for the bug disclosure.

Vulnerabilities in smart contracts – a spotlight

Attackers have become smarter, and NFT projects must use adequate protection tools and conduct thorough audits of the smart contract. Some common bugs in smart contracts are transaction ordering dependence (TOD), timestamp dependency, and re-entrancy.

Wrapping up

When industry standards are still taking shape, smart contract auditing and penetration testing have emerged as two benchmarks for strong security in blockchain systems. For this purpose, there is no one better qualified than the blockchain engineers specializing in blockchain audits.

Though the prevalent practice in the NFT arena is to have smart contracts audited before the sale of tokens, some projects that are yet to raise funds may try to take the shortcut and skip this crucial phase. 

Such a misconceived step might prove fatal for your projects, resulting in all your funds getting drained, or there might be bugs manipulating buffer overflow to alter account balances. To ensure your project doesn’t become a repeat of CryptoPunks, Meebits, and MooncatRescue, settling for a smart contract audit is the most logical way out.

Reach out to QuillHash

With an industry presence of years, QuillHash has delivered enterprise solutions across the globe. QuillHash with a team of experts is a leading blockchain development company providing various industry solutions including DeFi enterprise, If you need any assistance in the smart contracts audit, feel free to reach out to our experts here!

Follow QuillHash for more updates

Twitter | LinkedIn Facebook


Related Articles

Leave a Comment

Your email address will not be published. Required fields are marked *

⏱️Let’s #Quiz it..!

The unauthorized use of someone’s computer🖥️to mine #CRYPTOCURRENCY is known as?

#poll #crypto

💰$10 Billion was lost in #DeFi related #hacks in 2021, and this figure is expected to scale more heights this year🧵.

Catch it Here🚀: https://blog.quillhash.com/2022/01/19/beginners-guide-to-smart-contract-auditing-part-1/


💪 @MonsterNfts Begins Audit Process at @QuillAudits
QuillAudits - Smart Contracts Auditing Services, DeFi Safety Audits, Cybersecurity solutions for Blockchain & Crypto products

🚀 We are about to announce the big news. Do not miss


Latest edition of our Weekly #Newsletter📮.

|| IDO projects Rug Pulled on @BinanceChain, loss - $2.6M
|| @lcx Hot Wallets compromised, loss - $6.5M
|| Altcoin project #hacked: 136,000 tokens withdrawn.
|| @Polygon Discord bot impersonated.

Read Here🚀- https://quillaudits.substack.com/

We at QuillAudits are committed to #secure DeFi/NFT platforms!

Further, we would like to know your opinion over few questions on DeFi/Smart Contracts Security that would make #web3.0 platforms safe from any future potential threats.
#DeFi #Security


Load More...