Larva Labs, a popular NFT developer was at the receiving end of an exploit that could have cost it nearly $700,000. An attacker managed to mint a rare NFT from the Meetbit collection estimated to be worth $700,000 and offered to sell it for 300 ETH on OpenSea. Interestingly, the exploiter even continued to offer hints on the Meetbits Discord server as well as Twitter
The attacker offered multiple hints during the exploit and said he anticipates making $300,000 per hour and later deleted those tweets as well. The attacker used “rerolling” to mint an expensive rare collectible where the contract offered him the rare one after 345 total transactions. The Ether scan address gave the first hint about the possible exploit after it showed multiple absurd transactions.
Meetbit Pause Trading Function to Stop Further Exploits
The Meetbit contract then paused all trading functions and minting options to stop any further exploitation and explained how the attacker managed to exploit the contract.
The contract is safe, all Meebits are safe, and trading is working just fine. Minting has an exploit due to the fact that the identity of the remaining unminted Meebits has leaked. So this allows somebody with mints remaining to mint & revert until they get a mint number that they like. Trading is only paused because it gets paused automatically when minting is paused.
The NFT developer explained that the exploit was not because of any shortcomings in their smart contract but the IDs got known due to being on IPFS while the contract is fine. However, the community went into discussion mode and also the possible impact of the current exploit on the price of the collectibles in the meetbit collection.