$1 Million Lost to Smart Contract Exploits: The Risks of Outsourcing in Crypto
In a striking incident this June, projects linked to Pepe meme creator Matt Furie and the NFT studio ChainSaw lost approximately $1 million due to serious contract takeover exploits. On June 18, on-chain investigator ZachXBT revealed that an attacker gained control of the “Replicandy” contract, swiftly transferring ownership to an external wallet. Within hours, the new owner withdrew mint proceeds, reopening the contract to issue fresh NFTs before dumping them into open bids, which resulted in a drastic price drop to zero. Such events highlight the vulnerabilities prevalent in crypto projects, particularly those relying on outsourced development or gig workers.
The Exploit: Step-by-Step Breakdown
The exploit began with a transaction at 4:25 a.m. UTC on June 18, where the attacker took over the Replicandy contract. Two hours later, proceeds from the minting were withdrawn, followed by a re-opening of the mint to issue new NFTs, culminating in a liquidity crash. On June 23, the same address compromised three other ChainSaw contracts—Peplicator, Hedz, and Zogz—repeating the mint-and-dump cycle and causing an estimated theft exceeding $310,000. ZakXBT connected the funds to specific wallet addresses, tracing deposits and withdrawals through various exchanges, including MEXC.
Links to Suspicious Activity
ZachXBT’s investigation revealed troubling links between stolen funds and accounts associated with possible North Korean IT workers. Two GitHub accounts, “devmad119” and “sujitb2114”, displayed behavioral patterns and system settings typical of North Korean developers, despite professing US residency. This pattern raises questions about the meticulousness of vetting processes involved in hiring freelance developers in the crypto space.
Another High-Profile Incident: Favrr’s Exploit
In a related development, the freelance services token project Favrr was hacked, with losses exceeding $680,000 by June 25. On-chain analysis identified a wallet consolidating stolen funds, which received regular payments from Favrr’s payroll addresses. Following the attack, Favrr announced plans to refund initial participants of its decentralized offering and cancel its MEXC listing. The team is now conducting audits to improve security and has advised users to be vigilant against fraudulent tokens.
The Role of Developers and Due Diligence
As details unravel, concerns about the developers’ transparency are mounting. Notably, Favrr’s Chief Technology Officer, Alex Hong, deleted his LinkedIn profile post-exploit, which raises further suspicions. ZachXBT has promised to release comprehensive data on payroll flows linked to the North Korean cluster, indicating that many projects may not be applying necessary due diligence when hiring. Essential checks could have helped flag suspicious activities early, potentially mitigating the fallout.
Risks of Outsourcing Development
These incidents serve as a stark reminder of the inherent risks of outsourcing development in the crypto space. While gig-work platforms offer flexibility, they also can expose projects to potential fraud and exploitation. As the investigations continue, stakeholders and communities eagerly await formal statements from key players like Furie, ChainSaw, and Favrr. The pressing need for awareness and meticulous scrutiny in hiring practices has never been clearer, urging projects to reflect on their operational tactics moving forward.
In conclusion, the recent exploits remind everyone involved in the crypto community to prioritize security and thorough vetting procedures. As the industry matures, understanding these risks will be vital to safeguarding against similar events in the future.
