Cyber Incident Victim: Rug Pull Finder
Date:
Sep 2022
Location:
United States of America
Summary
A smart contract auditing firm experienced an exploit during its own NFT project's minting phase, allowing two individuals to bypass per-wallet limits and acquire 450 NFTs from a 1,221-asset collection. The company acknowledged failing to audit its project's smart contracts internally or through third parties, despite receiving an anonymous warning about the critical flaw shortly before launch. After determining the exploiters' actions weren't illegal but rather opportunistic use of the oversight, the firm paid 2.5 ETH to recover most stolen assets, later distributing them via free raffle while absorbing the financial loss. Security researchers criticized the incident as ironic, noting the firm neglected to implement preventive checks for its own project while marketing such services to others, and opted against fixing the underlying code post-incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 2, 2022, Rug Pull Finder, a web3 security firm specializing in smart contract audits, experienced an exploit involving its own "Bad Guys" NFT collection. Two individuals exploited a critical flaw in the project's smart contract during the free minting phase, bypassing the intended one-NFT-per-wallet restriction and allocating 450 NFTs to themselves from the 1,221-asset collection. The company acknowledged the incident publicly, attributing the breach to its failure to audit the smart contract code developed by Doxxed Media for this specific project. Rug Pull Finder admitted it neither conducted an internal audit nor engaged a third-party auditor, calling this oversight a significant error. Approximately 30 minutes before the project launch, the company received an anonymous warning about the vulnerability but dismissed it as non-critical, a decision it later recognized as a mistake. Following the exploit, Rug Pull Finder clarified that the individuals involved were not hackers or scammers since they exploited a technical flaw without illegal actions, characterizing their activity as profit-driven bug exploitation rather than malicious intrusion.
The company negotiated with the exploiters, paying them 2.5 ETH (approximately several thousand dollars at the time) to recover 366 of the stolen NFTs, though it did not disclose the status of the remaining 84 assets. Rug Pull Finder treated the financial loss from this payment as unrecoverable and subsequently raffled the recovered NFTs for free within days of the incident. Security researcher "NFTherder" publicly criticized the firm's handling of the breach, noting that Rug Pull Finder neither implemented technical safeguards like transaction checks and restrictions before the incident nor redeployed corrected code afterward, opting instead for financial settlement with the exploiters. The researcher highlighted the irony of a security-focused watchdog group compensating individuals engaging in the very activities it campaigns against, while also expressing concern about the firm's compromised Discord server and the broader implications for its auditing credibility. No data breach or additional system compromises beyond the NFT allocation exploit were reported in connection with the incident.