Experimental and new tech is always subject to intrusions and exploits, with crypto not far behind in that regard. And yesterday saw one of the first instances of an NFT being “front-run.”
Punk gets sniped
You may have heard of CryptoPunks, the first-ever, Ethereum-based, non-fungible token (NFT) project with over 16,000 unique “punks” which have become hugely popular in the past months as a crypto collectible.
The process to purchase them is simple. You visit an NFT sales platform like OpenSea, NiftyGateway, or the CryptoPunks site itself, find a punk you like, and pay the requisite ETH to gain ownership of that forever.
But yesterday saw a case of a punk sale gone wrong, with the owner ending up with only a few pennies (instead of thousands of dollars) and a sniper trader bagging a punk for almost nothing.
Arad, a Grin developer, cited on-chain data and said on Twitter yesterday that the sale of Punk #1737 seemed to have been hijacked by a notorious entity. “[It] received a legitimate 26.25 bid and accepted, but before his tx hit the chain, a contract flash loaded 26.25 ETH + 1 wei and bid himself,” they tweeted.
“The owner got 1 wei in return for his sale, and the contract now owns the punk,” Arad added.
To understand how that ended up happening, it’s important to understand how Ethereum transactions work. Each interaction on the network is validated by a miner, an entity that uses its resources to maintain the network and earn rewards in return. The user includes a “gas” fee for miners who may choose to take the offer up, process the transaction, and pocket the fees.
This means all bids are temporarily flashed on blockchain for everyone to see. It also means it opens up possibilities for predatory miners or traders to front-run the bid and pocket a better deal.
CryptoPunks front run
Such a situation resulted in the seller of Punk #1737 being front run by another trader/miner and losing out on the deal. They basically flashed a transaction to the network—and in the same transaction—got filled by someone else who accepted the bid, added a bit more (via a flash loan on Aave), and pocketed the deal.
“To clarify, bids could always snipe with slightly higher bids, that’s not the issue. The problem is that the contract doesn’t collect the entire bid amount for the seller if that eth is removed (back to AAVE here) in the same transaction,” explained Arad in a separate tweet.
Meanwhile, as unjust as the above sounds, the method was not illegal in any way (ill-intended, but not illegal). The CryptoPunks protocol itself has not been damaged or affected, and neither is there a problem with Ethereum.
“There is nothing to be stressed about. No more danger, and minimal damage. Matt and John handled it very quickly,” Arad added, referring to the two co-founders of Larva Labs, the team behind CryptoPunks.