Attacker nabs $700,000 collectible as $85 million ‘Meebits’ NFT project exploited

As an attacker found a way to mint a rare NFT worth over $700,000 from the “Meebits” collection, the legendary NFT developers Larva Labs were the victims of an exploit this morning.

Anticipation of making “$300,000 per hour” throughout the duration of the attack, was what the attacker teased 0xNietzsche on twitter this morning. Saying that they came off as “douchey.”, the attacker has since deleted the tweets.

Until the contract gave him one he wanted, his attack is essentially centred on “rerolling”. Also, one which reveals the characteristics of each Meebit’s ID, the Meebits contract includes a zipped Interplanetary File System file. Until knowledge of the IPFS leak spread, the characteristics of Meebits were not public knowledge. As a result, 0xNietzsche simply needed to make a list of desirable IDs, and design a contract that minted Meebits over and over, but cancelled the transaction if he didn’t get a favorable ID.

An Etherscan address shows 345 total transactions, hundreds of which are failed “rolls” to obtain desirable Meebits. The only successful roll appears to be for Meebit 16647, a “visitor” or alien. 16647 was bought by the collector-whale Pranksy for 200 ETH. Per Opensea, the next lowest-price Visitor Meebit is listed for 300 ETH.

In a pinned post in their Discord, Larva Labs announced that they have since shut down the marketplace.

“We have temporarily paused community minting and trading in the Meebits contract. The contract is safe, all Meebits are safe, and trading is working just fine,” the announcement reads in part.

While the Meebits minting period was scheduled to conclude on Monday, some CryptoPunk and Authglyphs owners (each of whom are entitled to a Meebit on a one-to-one basis) may not have redeemed theirs yet. As a result, the Larva Labs team plans to “provide a form where you can use your wallet to sign a message that proves ownership of your punks/glyphs, and we’ll mint the Meebits for you using the ‘devMint’ function,” allowing users to continue to mint through the weekend while preventing others from utilizing the exploit.

Leave a Comment