Larva Labs, a popular NFT developer, was at the receiving end of an exploit that could have cost it nearly $700,000. An attacker minted a rare NFT from the Meetbit collection estimated to be worth $700,000 and offered to sell it for 300 ETH on OpenSea. Interestingly, the exploiter even continued to offer hints on the Meetbits Discord server and Twitter.
The attacker offered multiple hints during the exploit and said he expects making $300,000 per hour and later deleted those tweets as well. The attacker used “rerolling” to mint an expensive rare collectible where the contract offered him the rare one after 345 total transactions. The Ether scan address gave the first hint about the exploit after it showed multiple absurd transactions.
Meetbit Pause Trading Function to Stop Further Exploits
The contract is safe, all Meebits are safe, and trading is working just fine. Minting has an exploit because the identity of the remaining unminted Meebits has leaked. So this allows somebody with mints remaining to mint & revert until they get a mint number that they like. Trading is only paused because it gets paused automatically when minting is paused.
The NFT developer explained the exploit was not because of any shortcomings in their smart contract, but the IDs got known because of being on IPFS while the contract is fine. However, the community went into discussion mode and also the impact of the current exploit on the price of the collectibles in the meetbit collection.