Schrödinger's Stolen NFT
Gamified art in NFT form - the first of its kind.
Many worlds meet in this twisted tale of game theory, art, value and crime - a unique experiment powered by degenerate quantum mechanics.
A Supermassive superposition presented a Bitcoin prize.
Yet the unexpected outcome proved that there’s more than one way to skin Schrödinger’s cat.
Was this a successful experiment, or a digital art heist cover up?
The ending is open to interpretation (Copenhagen or otherwise).
Despite intense promotion and preparation, there was a conspicuous silence from the project's creators after it came to an unexpected ending.
Although uncertainty was assured - (the experiment was named “The Rug Pull”), nobody expected the code to be exploited and the basic rules of the game to be broken.
The rules of the game were explained as follows:
There are 12 NFTs. All seemingly identical. Hidden in one of those NFTs is a Bitcoin.**You do not know which one that Bitcoin is in. However you can find out by unlocking the NFT, which will tell you whether that NFT holds the bitcoin or not.
However, the moment you do so, the status of your NFT - whether it holds the BTC or not - will be viewable.
So there is a 1 in 12 chance that you are in possession of a bitcoin. and there is an 11 in 12 chance that you are not.
What’s it worth to take that risk and look inside? If Bitcoin is at $10K, what’s it worth? If Bitcoin’s at $100K, what’s it worth?
Any one of the other 11 people who own the NFT could pull the rug by opening their NFT and finding the bitcoin, causing the value of the other NFTs to crash. Alternatively they could open their NFT and find no bitcoin, causing the value of the other 11 to rise.
The 12 NFTs were sold at auction for a total of $65k (paid in $MEME), ranging from approximately $4080 to $8400, which compared with the BTC valuation at that time (~$18,450) represented a markup of ~250%.
NFT # | $MEME paid | OWNER |
---|---|---|
NFT 70 | 21.50 | 0x196A3Dc8446920Cef0f0d1f6Bf7Ba5b40702C79f |
NFT 71 | 23.12 | 0xca768c37ba6EC3d67bE7B47bbE1F1C94CA216f46 |
NFT 72 | 21.50 | 0x6f9BB7e454f5B3eb2310343f0E99269dC2BB8A1d |
NFT 73 | 35.01 | 0xf305F90B19CF66fC2D038f92a26440B66cF858F6 |
NFT 74 | 33.00 | 0xCb28f90dCAb551f9FC17aFDd85a09495a87F078E |
NFT 75 | 25.00 | 0xcbc7d0Ff51D37b60ba741bF566496BBa53b5eea2 |
NFT 76 | 22.00 | 0x8B6250bAB1A60232e4154aB1F2EE7f5DF2A9C151 |
NFT 77 | 35.00 | 0xb7fD6B9183fbb8aBb2A3066C41770635Babc433F |
NFT 78 | 29.00 | 0x6f9BB7e454f5B3eb2310343f0E99269dC2BB8A1d |
NFT 79 | 20.00 | 0x4F50d47D20380172746527bbeAa274940C38EFAC |
NFT 80 | 17.00 | 0x6f9BB7e454f5B3eb2310343f0E99269dC2BB8A1d |
NFT 81 | 25.00 | 0x1d5E65a087eBc3d03a294412E46CE5D6882969f4 |
For the NFT owners, the most rational behaviour would have been to not reveal the status of the NFT and instead just hold, as the price of the NFT should have tracked at least 1/12 of BTC over time.
In essence this is the prisoner's dilemma. The best outcome for all owners is NOT to look inside.
But what if you didn’t need to look inside?
What if one player could break the rules and choose where the BTC was placed?
The code was eventually exploited and the attacker was able to extract the prize bitcoin from any one of the twelve NFTs.
Rekt was approached by some unhappy participants, who not only considered the experiment to be a failure, but claimed that the creators tried to cover up the outcome.
rekt OPSEC contacted the NFT experts at BlackPool to help in our investigation.
On the day the auction began, (November 11th) a user called RStudios appeared in the Discord.
RStudios does not appear to be affiliated with MEME; his wallet has history, and is involved in other NFT projects as can be seen on OpenSea.
After the auction was complete, he was seen to say:
Around one month later, (December 26th) the code was exploited.
Here is an overview of the relevant transactions on that day.
1) RStudios acquired an NFT from y_kymin for 13,000 DAI.
2) In a sequence of transactions, he extracted the WBTC.
3) RStudios dumped the empty NFT for 1.7 ETH and walked away with 1WBTC and 1.7 ETH in profit, minus the 13,000 DAI he paid for the NFT.
Rstudios didn’t have to pick the winning NFT. He/she simply bought one on the secondary market (after haggling the price down) and then pulled the rug on all the other players.
Apparently the attack took them a couple of days to prepare, and in their own words; “it wasn’t easy”
Selling the empty NFT afterward added to the controversy of the attack, however Rstudios did offer to buy it back.
Although some of the participants consider the experiment to be a failure, the creators maintain that nothing went wrong.
So we find ourselves asking an all too familiar question...
Is this an unfair outcome, or are code exploits just part of the game?
rekt spoke to Robin from some other newsletter to find out.
rekt:
Hi Robin, thanks for talking to us.
It's been just over a week since the end of the "rug pull" experiment.
Are you happy with how it ended?
Robin:
Haha, leading question! It depends what you call the experiment. The Rug Pull wasn't just the auction and subsequent NFT game, it was the whole piece with the build up and the transmedia journey around the idea of greed and trust.
But there's no doubt, the way the Bitcoin was eventually claimed felt like a damp and premature ending to what we had planned.
The game was about exerting pressure on the participants and forcing them to confront their own greed mechanics. What happened was one of the 12 owners sold their NFT for a small profit and broke the admittedly tenuous circle of trust that had been built. What this proved was simply what we already know, chain is only as strong as its weakest link.
In this case it didn't take much for someone to take the money and run. I had raised this dynamic in the original promo video. How much can you really trust the other owners of the NFTs. The best outcome is to work together. But I would have loved to see much more pressure from Bitcoin to make it really come alive.
So, not unhappy but definitely feel like there was more life in this. However, we did ultimately answer the question of what's worth more: the art or the crypto contained within it. In this instance, the crypto was a greater prize. Which is sad but not unexpected.
rekt:
When Rstudios removed the bitcoin from the NFT, they were able to do so without anyone knowing.
If they hadn’t announced that they had removed the bitcoin, what would have happened?
Robin:
It's a good question.
We're lucky that hackers can be quite vain and like people to know how clever they were.
To be clear I didn't code the contracts and I didn't engineer the mechanics. I can dream it but we can only work within the parameters of the network.
I haven't answered your question.
Probably nothing would have happened until the NFT was opened. Then there would have been probably some rage and some accusations and some fud and the usual. Then I would most likely have sold some stuff, acquired a bitcoin in restitution and then significantly increased my social klout for demonstrating I'm one of the good ones.
Or some crap. I dunno. You know the drill, this is crypto. We would have made good anyway. Although I don't know how tripped the lottery mechanics would have been.
rekt:
The launch of the experiment was very well publicised, yet the ending was silent.
If this was one of the expected outcomes, why did you not release any post-mortem or final public statement?
Robin:
Expected outcomes makes it sound like we expected someone to exploit the code this way. We didn't.
Inherently we knew there would be a target on the NFTs back but the hope was that by creating an involving and entertaining experience we would raise the value of the art to the point where it was worth more and would be respected more.
You know? Even though you know you can exploit you don't.
This was an idea that I floated in the initial build up. I exposed my private keys and let people take my tokens. Almost everyone gave them back but it was someone outside of the group that didn't.
The timing of the exploit was bad for me, after the year we had I'd switched off crypto for a period to get some family time. As for a post-mortem I was actually planning on doing an episode of the Defiant on it but when you got in touch it felt like that would be a better avenue to put the story out.
The other thing is, there's a major assumption here that the whole thing has ended.
That isn't the case. The NFTs still exist, there's still a community here, I don't think it's necessarily a full stop. It's been a slow pickup to the new year but myself and the Meme team would like to create a new chapter but we've not had a chance to connect on what that might be.
Ultimately we promised a rug pull and that's exactly what happened.
rekt:
The attacker made a public warning about the vulnerability a month before the exploit.
Do you think this was handled appropriately?
Robin:
Depends how you look at it. There's a big difference between posting one message in a discord channel and contacting a team privately to discuss.
I don't know whether you read every single message in every social app you use but I certainly don't.
Unfortunately the team didn't appear to have seen it. But if the attacker was motivated by helping the team fix and mitigate the vulnerability then he would have been more persistent about flagging it.
Ultimately he has a nice f-you record to prove his point and I understand the flex. It wasn't handled because it wasn't seen. I don't think there's any blame attributable to the team for that.
rekt:
This experiment was an entirely new concept, and although it may not have lasted, it does make us think about the creative opportunities that digital scarcity allows for.
What’s your most far-out prediction for the future of NFTs?
Robin:
What I find crazy is SOCKS, that people would buy an NFT that represents socks and never ever need to own those socks but they can trade the value.
This is just derivatives of course but if you extend that notion then literally anything can be an NFT. Every single item in the world can find a digital twin in a metaverse. And at that point you get into some really wild ideas around production, fulfilment, sustainability and beyond.
Digital fashion is the area that feels the most ripe for a major move in 2021. When the picture, your digital record on Instagram, is all that matters then owning a real garment is kind of secondary. So we get into these notions of signalling and badging ourselves digitally without there needing to be a shady sweatshop involved.
I haven't gone far enough in thinking about NFTs and what they can be but I know there's a great deal more that we haven't even begun thinking about yet but I'm happy to be one of the ones experimenting with it.
rekt:
Thanks for your time Robin, do you have anything else you'd like to say to our readers?
Robin:
Don't overcommit to anything you don't understand. It's going to be a wild year but you have to keep your sane brain engaged.
They promised a rug pull and that’s what happened.
We always encourage our readers to think outside the box, to consider all possibilities when investigating a situation. Although unlikely, there’s no evidence to suggest this wasn’t an inside job. Not directly from the team, but maybe from someone associated...
The MEME team may be more suspicious than usual at the moment, and they would be right in being so...
Although the code could have been more secure, this seems to be more of a failed experiment than total incompetence.
However, it’s understandable that some players are disappointed with the outcome, and in some ways this feels worse than some of the larger hacks.
It’s like card counting at a children's poker night. It’s not technically against the rules, but it definitely spoiled the fun for a few innocent people who were just trying something new.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Monkey Business
In just one year, Bored Ape Yacht Club has evolved from a niche NFT, into a whole ecosystem, and a mainstream means of flexing wealth. The rise of BAYC has been unstoppable, but the recent Otherdeeds mint was far from perfect. What's next for BAYC?
Treasure DAO - REKT
Swiggity swooty, somebody plundered the Treasure DAO booty. ~$1.4M worth of NFTs has been stolen from the largest NFT marketplace on Arbritrum, leaving the OpenSea competitor stranded in deep water.
JayPegs Automart - REKT
A blue-chip rekt by a front-end attack. Remind us, which part of crypto is supposed to be “trustless”? Misplaced faith (temporarily) cost MISO $3.1 million.