Rug Pull Finder (RPF) researchers have reported an exploit in their smart contract that allowed two attackers to create 450 project NFTs for free instead of one in their wallets.

According to the team, the hackers created an additional chain in the Bad Guys free coin minting tool. With his help, RPF has selected users for the pre-sale of the 10,000 NFT collection planned for the fall. Holding Bad Guys tokens also gave access to other upcoming projects.

In total, the smart contract allowed the release of 1221 tokens, one for each wallet. However, the vulnerability allowed attackers to increase the number of NFTs allowed.

After discovering the incident, RPF negotiated a reward of 2.5 ETH (about $3,950 at the time of writing) with one of the hackers to recover 330 NFT.

The monitoring group acknowledged that an unknown source had warned them about the vulnerability 30 minutes before Bad Guys started, but ignored it.

“After checking with three different development teams, we did not believe the accuracy of the information sent to us. We were clearly wrong and we are very sorry,” RPF said.

The smart contract was developed by blockchain agency Doxxed Media. RPF acknowledged that neither it nor any independent third party had audited the code.

After consultation with the community, the team decided to deploy the recovered NFTs. Some will return to the Bad Guys vault, others will draw on Twitter and among friends of the project.

Recall that in August, Elliptic analysts reported that since 2017, attackers have laundered more than $8 million through NFT markets, which account for 0.02% of total trading turnover.

According to them, over $100 million tokens were stolen from July 2021 to July 2022.

The most popular tool for laundering money from NFT scams was the Tornado Cash cryptocurrency mixer.

Read ForkLog bitcoin news in our Telegram – cryptocurrency news, courses and analysis.