$85 million ‘Meebits’ NFT project exploited; attacker nabs $700,000 collectible

Published at: May 8, 2021

Legendary NFT developers Larva Labs were the victims of an exploit this morning, as an attacker found a way to mint a rare NFT worth over $700,000 from the “Meebits” collection. 

The attacker, 0xNietzsche, teased the exploit on Twitter this morning, saying he anticipated making “$300,000 per hour” throughout the duration of the attack. He has since deleted the Tweets, saying that they came off as “douchey.”

Definitely sent out some regrettable tweets in the last few hours. After coming down & processing it all they do sound VERY douchey.

— 0xNietzsche (@0xNietzsche) May 8, 2021

His attack essentially centered on “rerolling” his Meebit mints until the contract gave him one he wanted. The Meebits contract includes a zipped Interplanetary File System file, one which reveals the characteristics of each Meebit’s ID. The IDs of the remaining Meebits are public knowledge, but until knowledge of the IPFS leak spread, their characteristics were not. As a result, 0xNietzsche simply needed to make a list of desirable IDs, and design a contract that minted Meebits over and over, but cancelled the transaction if he didn’t get a favorable ID. 

An Etherscan address shows 345 total transactions, hundreds of which are failed “rolls” to obtain desirable Meebits. The only successful roll appears to be for Meebit 16647, a “visitor” or alien. 16647 was bought by the collector-whale Pranksy for 200 ETH. Per Opensea, the next lowest-price Visitor Meebit is listed for 300 ETH.

Step 1) Get tagged in @larvalabs @discord.Step 2) See Visitor #Meebit for 200 ETH ($700K) on @opensea.Step 3) Buy #MeebitStep 4) Hear about mint exploit, exploit closed by @larvalabs.Step 5) Have and hold Visitor #Meebit #16647 https://t.co/MlBqZc5Mxq#NFTs #AlwaysLiquid pic.twitter.com/vxHMqj13SE

— Pranksy (@pranksyNFT) May 8, 2021

In a pinned post in their Discord, Larva Labs announced that they have since shut down the marketplace.

“We have temporarily paused community minting and trading in the Meebits contract. The contract is safe, all Meebits are safe, and trading is working just fine,” the announcement reads in part.

While the Meebits minting period was scheduled to conclude on Monday, some CryptoPunk and Authglyphs owners (each of whom are entitled to a Meebit on a one-to-one basis) may not have redeemed theirs yet. As a result, the Larva Labs team plans to “provide a form where you can use your wallet to sign a message that proves ownership of your punks/glyphs, and we’ll mint the Meebits for you using the ‘devMint’ function,” allowing users to continue to mint through the weekend while preventing others from utilizing the exploit.

By 0xNietzsche’s own estimations, his exploit could have been far more successful. Per posts in the Discord, given the length of the attack before the market shutdown he felt he “should've gotten two meebs in that time.” He also noted that his contract cost “~$20k an hour in gas fees” and that he had to purchase punks with unredeemed Meebits in order for the exploit to work, meaning his total haul was reduced due to associated costs:

In a now-deleted Tweet, he said he raked in “50 ETH and 5 floor punks” from the exploit.

An anonymous source told Cointelegraph that other NFT collectors were aware of the attack vector, but did not choose to exploit it as they felt it would be “unethical.” Tweets from yesterday indicate that others were indeed aware of the IPFS leak and had identified the rarest remaining Meebit, 10761, a “dissected,” which was among 0xNietzsche's targets. 

One more Dissected Meebit is "missing", out there to be minted still.It's #10761. https://t.co/xgP2FJKhCw pic.twitter.com/W0Vi5HIECS

— Pixls (@pixls_dot_eth) May 7, 2021

The community is currently publicly debating what this will mean for prices across the Meebits and wider Larva Labs space. Many believe that the exploit could, paradoxically, increase floor prices for the projects due to “narrative.”

Historical significance can play a major role in the price of NFTs. Earlier this year, digital archeologists uncovered “Mooncats,” thought by many to be the second-ever NFT project, leading to a temporary buying frenzy. 0xNietzsche himself is a Mooncats enthusiast.

Tags
Nft
Ethereum
Hacks
Crypto Collectibles
Related Posts
OpenSea planned upgrade stalls as phishing attack targets NFT migration
Just yesterday, OpenSea announced a smart contract upgrade, which requires users to migrate their listed NFTs from Ethereum (ETH) blockchain to a new smart contract. As a direct result of the upgrade, users that don't migrate over from Ethereum risk losing their old, inactive listings — which currently require no gas fees for migration. Major nonfungible token (NFT) marketplace OpenSea has reportedly fallen victim to an ongoing phishing attack within hours after announcing a week-long planned upgrade to delist inactive NFTs on the platform. However, the urgency and short deadline opened up a small window of opportunity for hackers. Within …
Adoption / Feb. 20, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Etherscan, CoinGecko warn against ongoing MetaMask phishing attacks
Popular crypto analytics platforms Etherscan and CoinGecko have parallelly issued an alert against an ongoing phishing attack on their platforms. The firms began investigating the attack after numerous users reported unusual MetaMask pop-ups prompting users to connect their crypto wallets to the website. Based on the information disclosed by the analytics firms, the latest phishing attack attempts to gain access to users’ funds by requesting to integrate their crypto wallets via MetaMask once they access the official websites. Security Alert: If you are on the CoinGecko website and you are being prompted by your Metamask to connect to this site, …
Blockchain / May 14, 2022
White hat: I returned most of the stolen Nomad funds and all I got was this silly NFT
Hackers behind the $190 million Nomad Bridge are now being incentivized with "whitehat" themed non-fungible tokens (NFTs) if they return nearly all of the funds they stole from the protocol at the start of this month. The exclusive NFT, which simply depicts a white wizard’s hat, is being offered by NFT firm Metagame and can be minted by those that return at least 90% of their stolen funds to Nomad. 1/ Our friends at @metagame created an earned NFT as a thank you to whitehats who returned funds from the Nomad Bridge Hack. Head over https://t.co/TWwuJwnRXj to claim it! pic.twitter.com/V87rkGhBEE …
Blockchain / Aug. 24, 2022
Nifty News: Bill Murray’s wallet hacked, FIFA’s tokenized highlights, Muse tops charts, and more…
Popular comedic writer and actor Bill Murray had his Ethereum wallet hacked for around 110 Wrapped ETH (wETH) worth $172,000 late last week. The auction for the The Bill Murray 1,000 NFT drop was just coming to a close on Thursday Sept. 1, having generated a total of 119.2 wETH worth of sales as part of a charity fundraiser for Chive Charities. However hackers were reportedly watching Murray’s wallet all day, and pounced to swipe nearly all of the funds as the sale came to a close. While it is not 100% certain how the hackers gained access to Murray’s …
Music / Sept. 5, 2022