A whole 31 NFT projects are at risk due to the work of a single smart contract developer, which all the projects hired from popular freelance website, Fiverr. The mass collection of security frailties was discovered via the apparent hack of ‘The Starslab’ NFT project, where in essence, the project’s team lost 197 ETH from their mint proceeds.
Twitter users _MouseDev and zachxbt are the masterminds behind the story’s development, as both community members have endlessly attempted to uncover the reason behind the attack’s success. Breakthroughs came when the former spotted incoherence between Starslab’s explanation for the attack, and what the dynamics smart contract actually suggested.
In essence, MouseDev’s investigation found that the 197 ETH that The Starslab team had claimed to have lost, in fact remains sitting in a smart contract with a null address, meaning neither the Fiverr dev, nor anyone else, has ceased the funds.
Zachxbt took a different route of investigation, as they took to Fiverr to successfully identify at least 31 other projects which had hired the same dev. In addition, all such projects had been deployed in the past three months, where they each paid the single dev between $2,000 and $4,000 for their work. Most poignantly, each project also appeared to have the same strange code which was spotted in The Starslab’s smart contract.
Being the good soul that they are, zachxbt contacted all the at-risk projects who had a social media presence (around a third of them). However, regrettably, all responders to the call for concern stated that they were unaware of the security issues that may be embedded into their project’s smart contract.
In conclusion, the fate of the projects’ financial security, as well as that of Starslab’s 197 ETH, remains unclear. For now neither zachbxt nor MouseDev are pointing blame at anyone, zacxbt ended their thread of analysis with: “I am interested to see where the ETH ends up moving to. Hopefully that will clarify things further to determine whether the dev is 100% responsible. Regardless the code there doesn’t lie”.