Is NFT safe: Reviewing the contract vulnerabilities in the history of CryptoPunks and Meebits

With the opening of the NFT business platform in Japan, JYP, one of the three largest entertainment companies in South Korea, has turned its attention to the NFT market, and NFT has attracted more and more attention from ordinary people.

Imagine Japanese animation and Hallyu pouring into the NFT market. How explosive and potential should it be?

However, NFT, like any other DeFi, is composed of vulnerable smart contracts, so the security of NFT is now also attracting attention. This film explains the story of the NFT smart contract from some accidents in the past NFT.

A less prominent aspect of NFTs is that they are built on smart contracts, and smart contracts can be exploited, destroyed, and hacked. Similar to any typical DeFi project with imperfect smart contracts, NFT smart contracts may also have loopholes that can lead to unfavorable results. As we discuss history and some unfortunate accidents that led to the loss of funds, we will review what people have done with NFT contracts in the past few years.


CryptoPunks can be said to be the most popular NFT project so far. After its launch in 2017, an influential vulnerability appeared in its smart contract. After all 10,000 Punks were sold and entered the secondary market, an error was discovered that might have occurred but did not receive actual payment.

Is NFT safe?  Review the contract vulnerabilities in the history of CryptoPunks and Meebits

The problem in the code boils down to one line-it has not been tested enough. @0xfoobar later posted a post on Twitter explaining the bug in detail.

LarvaLabs, the creator of CryptoPunks, finally restarted the project with a new and updated contract. V1 Punk was part of the original contract until the ERC-721 package of CryptoPunks V1 was released, which is also known as “Classic Punk”.


Many years after the launch of CryptoPunks, LarvaLabs has launched a follow-up project called Meebits. All Meebits have random characteristics. However, when it was launched, some users figured out how to trick the system and re-roll the features to get the features they wanted.

How? The Meebits project includes an archive file in the smart contract that shows the characteristics of each Meebit token ID. Users can start the Minting of Meebit, and if they find that the token is not uncommon by comparing the signature files, they can cancel it. One user took full advantage of this and publicly documented his success on Twitter and Discord. This user is “0xNietzsche”.

0xNietzsche initiated more than 300 transactions to test this vulnerability. If there are not enough rare features, every Meebit they initiate will be cancelled. After more than 300 transactions, they were finally able to stumble upon a rare Meebit. #16647.

“0xNietzsche” claimed that they spent $20,000 per hour in gas fees waiting to cast their rare Meebit, but they still used the contract to do so. They were able to sell the newly produced Meebit for 200 ETH, which was worth about $750,000 at the time.

LarvaLabs soon heard the news, temporarily stopped the casting of Meebit, and issued a statement: “We have suspended the community casting and trading in the Meebit contract. The contract is safe, all Meebits are safe, and the transaction is smooth. “They are correct. Meebits are still allocated completely randomly-unless you invest a lot of time and gas costs, you can’t use the contract, and by then, the casting is almost complete.

Nevertheless, Meebits is a good example of how to use smart contracts to allow one or more users to gain a competitive advantage when creating NFTs.


MoonCatRescue was launched in 2017, and their contract had a considerable flaw in the beginning.

The official MoonCats FAQ page asks a question: Are you getting paid for this?

reply :

Do not. We intend to collect Ethereum from the sale of Genesis Cat. However, the corrections we made during the QA process resulted in these funds being permanently sealed. But it’s okay.

When MoonCat is adopted, transferCat(catId, catOwners[catId], msg.sender, offer.price), the funds are sent to require(catOwners[catId] != 0x0. If you check it carefully in the test, it can actually be solved. The problem. Although this is not the main flaw of the smart contract, they still lost a considerable amount of ETH before they realized the error.

The overall vulnerability of smart contracts

In March 2018, five computer scientists co-authored a paper entitled “Large-scale discovery of contracts for greed, profligacy, and suicide,” and they conducted research on this:

Greedy contract, lock funds indefinitely

Splurge the contract and leak funds to any user at will

Suicide contract, can be killed by anyone

They signed nearly 1 million (970,898) smart contracts on the Ethereum network. They found that 34,200 of these smart contracts are vulnerable to hackers/exploitation, which means that in 2018, approximately 1 in 20 smart contracts are at risk. They analyzed 3759 contracts in-depth to verify the existence of vulnerabilities in their codes, and found that the vulnerabilities in 3686 contracts were discovered in an average of 10 seconds. This is crazy! They can raise up to 4,905 Ether from the contract-slightly more than $8.6 million. The report also added, “In addition, the blockchain currently has 6,239 Ethereum (about 5.6 million U.S. dollars) locked in the post-mortem contract, of which 313 Ethereum was sent to the dead contract after the “death”. “There are many cryptocurrencies stuck in invalid contracts. At the time of this research, DeFi and other smart contracts accounted for a much lower percentage of on-chain activity. A latest report released by Glassnode on May 6, 2021 found that 22.8% of circulating ETH is locked in smart contracts.

Is NFT safe?  Review the contract vulnerabilities in the history of CryptoPunks and Meebits

Is 1 in every 20 smart contracts still vulnerable to attack? Has the project become more secure? Or, as smart contracts become easier for people who lack knowledge to publish, the situation may get worse? Even if we maintain a ratio of 1 / 20, this would mean that approximately 1% of the ETH supply is in fragile smart contracts.

The point here is to do research before starting a project. Try not to FOMO. Make sure that the project you want to invest in spends time developing smart contracts, and make sure that the project is not created out of thin air. A lot of copied and pasted code exists there, which is always a red flag.


Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply