Over 200 Ethscriptions Nabbed in Smart Contract Exploit
A new protocol that lets people create and share digital objects on Ethereum has hit a major setback, according to its creator, who said the Ethscriptions main marketplace had been hacked.
Launched last month by Tom Lehman, co-founder and former CEO of Genius.com, Ethscriptions is a novel way to create Ethereum assets that leverage transaction “calldata” to write non-financial data to the network’s blockchain.
The Ethscriptions’ protocol itself and other applications that tap the technology haven’t been impacted, Lehman said. Yet, a sizable number of Ethscriptions listed on Ethscriptions.com have been stolen, Lehman said on Twitter on Friday.
“About 123 individual addresses lost a total of about 202 ethscriptions in this exploit,” he said. “Any young protocol will have bumpy landings, but this is definitely not what I meant.”
https://t.co/ZcR9HKlexS Marketplace Security Incident Update
In this Tweet I’m going to walk you through how the exploit happened and what we are doing about it.
First, to be clear, this was not a vulnerability in the Ethscriptions Protocol. This was a vulnerability in one… pic.twitter.com/i5Q0W2PRMQ
— Middlemarch (@dumbnamenumbers) July 12, 2023
In terms of value, it’s unclear exactly how much was lost in connection with the exploit. But according to data from NFT marketplace OpenSea, some inscriptions have sold for as much as 5 Ethereum or around $9,600 in the past month.
Lehman told Decrypt that, regarding the Ethscriptions lost, “it’s all terrible,” but he specifically lamented the theft of Ethscription #56, describing it as “brutal” and pointing to the rarity often ascribed to earlier artifacts.
The exploit also has a particular sting, Lehman said, because it was meant to serve as an example that other marketplaces building out support for Ethscriptions could lean on.
“The purpose of the marketplace was basically to help show other people how to create marketplaces and help build an ecosystem,” he said. “Unfortunately, we fell on our face in that area.”
Lehman claimed responsibility for the failure, explaining the exploit could be traced to a smart contract that he and Indelible Labs co-founder Michael Hirsch created. A snippet of code allowed people to withdraw Ethscriptions that they didn’t own from the marketplace.
“Part of the challenge with this new protocol is that you save a bunch of money from limiting the use of smart contract storage, but then you have to be more strategic surrounding how you use contracts in cases like marketplaces,” he said. “You have to figure out a way to either give smart contracts information or make it so smart contracts don’t need that information.”
The Ethscriptions.com marketplace will be relaunched once necessary changes are made to the protocol itself, according to Lehman, who said he’s been in contact with many of those impacted by the exploit. He praised them on Twitter as “the earliest adopters” of the Ethscriptions protocol.
Ethscriptions are distinct compared to traditional NFTs, stored in transaction-level data as opposed to being tokens issued on Ethereum by smart contracts, like in the case of the ERC-721 token standard. According to a Dune Analytics dashboard, around 474,000 Ethscriptions have been created so far.
The protocol’s emergence follows Ordinals’ rise in popularity, used for creating NFT-like assets on Bitcoin, which has led to a new wave of experimentation with crypto’s oldest coin.
Lehman drew attention to the exploit on July 14. Days later, a disclaimer about the impacted state of the marketplace remains. A warning on Ethscriptions.com reads, “There is an issue with the marketplace contract! Withdraw your Ethscriptions and do not create new listings!”