The heist of the Chiptopunks began with one of the most anticipated generative art drops in recent memory. Last Friday afternoon, Chiptopunks was poised to reveal their remarkably unique 3D animated NFTs for a frantic fanbase of anxious collectors.
On its official site, the countdown clock to start minting Chiptopunks expired without incident. That’s when chaos erupted, and within that very minute, an angry mob of crypto town-criers descended upon the Discord group. With their tiki torches ablaze and their knives out, they stormed the ChiptoStage, hurling insults and accusations at a pair of disoriented developers.
Even accidents can become art on the blockchain. The Chiptopunks Discord prophesied controversy before the drop ever happened. Unlike most generative art projects touting 10,000 collectibles, only 512 Chiptopunks NFTs were minted, with at least 8 Chiptopunks spoken for before the drop went live. Bored Apes and Cryptopunks accounts were tweeting about the Chiptopunks at least a week beforehand, while the Chiptopunks Discord grew 4x more members than the number of NFTs minted. This didn’t discourage countless collectors who were ready to chip in, knowing they had little or no chance of getting one. Everyone in the drop party was ready and waiting to rush the secondary market before the floor rose too high.
“How many people are pissed when they’re standing outside a Supreme store waiting for a t-shirt drop?” LordNefty ranted. “It doesn’t matter if it’s an inside job—it’s not, and I know that for a fact,” he emphasized. Although LordNefty claims to have exploited a weakness in the Solidity contract and absconded 150 Chiptopunks by “accident,” proof he owns the transacting wallet has yet to be provided.
So what really happened? How is it that so few collectors managed to secure a Chiptopunk? And how did a single wallet bag 150 NFTs when a single transaction limit was set for 3-mint max?
“I can say without a doubt they made an error in their code,” says Ryan Satterfield, owner of Planet Zuda, a cyber-security company specializing in information security and hacking the internet of things (IoT). “I would love to applaud them on the work they put into security, but, in this space, every character matters,” Satterfield emphasized. “I would not make such a statement without having fully reviewed their contract that’s publicly available.”
A Solidity contract is a collection of code (its functions) and data (its state) that resides at a specific address on the Ethereum blockchain. You can think of it as single slots in a database that can be queried and altered by calling functions of the code that manages the database. “Solidity looks deceptively simple, but it’s much much harder than it looks,” says Dimitrios Kouzis-Loukas, Fintech Senior Engineer/Architect at Bloomberg LP. Kouzis-Loukas is responsible for leading teams of engineers that develop tools and infrastructure to ensure that Bloomberg’s systems are up and stable. “Don’t get me wrong,” he continued. “People do an excellent job, but still. Smart contracts and solidity are so new, and people are still trying to figure them out.”
“The NFT contract for Chiptopunks was published 6 hours before the drop, and someone was able to write a custom contract,” says 0xFloop. “The way the Ethereum blockchain works is when you’re calling internal functions from a contract, you don’t have to wait for each one to go through. Someone did 33 buys of 3 each, and that goes through in one transaction. That’s what knowing how to code and actually understanding Solidity allows you to do.”
“The contract is vanilla,” claims LordNefty. “They copied and pasted their contract, and filled in the blanks,” he asserts. “This project has been on my radar for some time, knowing I was going to use the contract to buy more than 3,” he claims. Yet and still, there’s no proof that LordNefty actually did the ‘bundling’. “One by one, I’m going to send them to the burn wallet,” he said.
Burning them all doesn’t affect the current market as it exists; there would be no market dump or supply-side disruption. It was suggested that LordNefty raffle them all at a set price. He could also make a contract that allows a re-drop of 150 NFTs and set the mid-price like an auction, but that could result in thousands of people attempting to buy 150 NFTs, with no guarantee the same thing wouldn’t happen again. However it is yet to be verified that LordNefty is in fact the owner of 150 Chiptopunks, so all of this may still be speculative by the time this article is published.
“GaperArt could potentially use the Ethereum self-destruct function to dynamically update the code, or use it to make the current contract non-operable in the future while transferring everything to another contract,” Satterfield suggests. “The opcode SelfDestruct can be used to update contracts already on the blockchain or redirect the contract to a new contract. However, SelfDestruct in itself is also dangerous to most contracts on the blockchain because anyone can update or delete the code of any project if it isn’t protected against SelfDestruct.” This is because the opcode doesn’t require consent to be used against a contract. However, you can use SelfDestruct to update patching contracts from being exploited by SelfDestruct, as long as that function hasn’t been removed from the Ethereum version you’re using. “Vitalik” Buterin, the Russian-Canadian programmer and co-founder of Ethereum, wants to remove this opcode.
“I’m an artist at heart,” Cam Taylor professed. “Gaper.eth wrote the code. Our intention was to provide something unique and special, something different from a lot of the stuff that’s out there right now and we’re fucking bummed,” he apologizes. We didn’t want it to go this way. All the comments saying we know it’s a scam like we’re in on it couldn’t be further from the truth. We care deeply about this project. Honestly, I just wanted to create the most badass fucking 3D punk heads possible for y’all, and we’re fucking pissed that this happened,” Taylor said.
“This is not how we intended the drop to go,” says gaper.eth. “All we wanted was to build community and to have a solid drop. We had no intention of one whale buying 150 of the supply.”
“This isn’t even how you build community, though,” ab7#5635 lamented on Discord. “Building a community would start at a really low price to give people the opportunity to get into your project. The art is really fucking good. Chances are they’re gonna hold. It really sucks there’s a lot of people that were priced out, to begin with,” she regrets.
Adding insult to injury, OpenSea initially verified the wrong contract, leading some collectors, including myself, to purchase illegitimate NFTs. One such collector purchased at least 5 of them. So when you search for Chiptopunks NFT on OpenSea, be sure it’s the collection with 512 items. Some of them are available on the secondary market, and despite everything that went wrong, there’s always an upside.
“We haven’t settled on the exact percentage or amount yet, but we are going to take a portion of the profits, and we are going to be purchasing iPads with Procreate, or possibly laptops. We’re giving them to underprivileged children who would like to be able to make art,” Taylor promised. “We’re gonna figure out the right organization to work with, and we want to make it transparent to show that we believe in art and technology. We want to give back in some way.”