According to Rug Pull Finder (RPF) investigators, an exploit in their own smart contract has allowed two attackers to create 450 project NFTs in their wallet for free instead of one.
According to the developers of the project, the hackers created an additional chain in the Bad Guys free minting tool. Using it, RPF selected users for the pre-sale of a collection of 10,000 NFTs planned for the fall. Holding Bad Guys tokens also opened up access to other upcoming projects.
The smart contract allowed the release of 1,221 tokens in total, one for each wallet. However, the vulnerability allowed attackers to increase the allowed number of NFTs.
RPF negotiated a reward of 2.5 ETH with one of the hackers to recover 330 NFTs after discovering the incident.