NFTheft pranked Bitski's and Ellen Degeneres' NFT Auction -> Woman with Stick Cat

Woman with Stick Cat



After showing and proving the vulnerability for NFTs that are not properly minted with the creator's wallet, I decided to tackle another problem. The actual minted NFT itself. A lot of readers dismissed my Beeple NFT as an illegitimate and "cheap" fake. Their reasoning behind this was that the "original" Beeple NFT, even though not properly minted, was minted before my NFT, thus making it the first and the original NFT. So my next challenge was to mint a fake NFT, before the original is even minted!

Like with any project, I needed to chose a target... umm example. Right around this time there was a bit of social hype and announcement that Ellen DeGeneres was going to sell her first NFT, and that Bitski was going to be the one that makes it happen. So after doing some research, I confirmed that this will be the perfect moment to demonstrate the problem.

The interesting and disturbing thing that I discovered along the way, was that Bitski holds the private keys to their users wallets! Apparently their excuse for this is that users shouldn't be bothered by such technical complications and instead should put their focus on finding, and buying, NFTs that they love. Interestingly enough, you can't pay for the NFTs with crypto but rather through credit card payments provided by Stripe. And if that wasn't enough, you can only buy NFTs that are "dropped" through their platform. If you want to sell, trade, or buy any of their NFTs second-hand, they suggest you to visit the OpenSea marketplace.

Next steps were to do a technical analysis of how the Bitski NFTs are minted. This information was incredibly difficult to find, they went to great lengths in making this information not available to potential buyers. I was later able to understand why that was. They only mint their NFTs after a purchase is made, and they mint it directly to the wallet of the buyer, the same wallet to which they hold the private keys. A closer inspection of their smart contracts confirmed my theory that they were not following any of the ERC721 standards whatsover, they were just making the bare minimum effort to mint an NFT, and send it over to OpenSea. Interestingly enough, they put a lot of effort to make sure that OpenSea commissions for second-hand sales are properly configured and are sending them their cut.

From my previous Beeple NFT project, a lot of people complained that my contract was obfuscated and not open (verified), this was also used as one of the reasons why it proved my NFT to be fake in comparison to the original NFT. So this time I checked and made sure that my target's smart contract was obfuscated, closed, and unverified. Bitski's smart contracts are exactly that.

Ok so what do we have so far? Obfuscated smart contracts, no control over private keys, bad coding, mint NFTs only after a sale, a perfect target for me. I went ahead with writing my own smart contract and deploying it on the blockchain. Then the fake NFTs were minted: one PLATINUM, ten GOLD, and three SILVER (as an additional example). I embedded JSON metadata into the NFTs, but I did not make them into perfect 100% fakes since the point of this exercise was not to fake the NFT itself, but rather to show that we cannot blindly rely on the minting timestamp as the deciding factor for which NFT is authentic.

12 hours later, after the first sale of their NFT happened, Bitski minted their first original NFT, from their obfuscated smart contract that looks very suspicious.

NFTheft

Screenshot of NFTheft minting the fake NFT 12 hours in advance.

View on Blockchain
Bitski

Screenshot of Bitski minting a real NFT 12 hours too late.

View on Blockchain

For those who want to quickly see everything without jumping through links and pages on this website, watch the video which is a screengrab I made when testing my work. Watch Video

I will not be providing the specifics of how certain aspects of this project were executed, just wanted to show that this is possible, and that someone with malicious intent can in fact mint an NFT before an original, and can trick/confuse even a sophisticated buyer into believing that their fake is in fact an original. For those who are interested, go ahead and view the NFTs, follow the relevant links that lead to the blockchain, different marketplaces, etc. View the NFTs


Sincerely,
Monsieur Personne

View The NFTs