The hot-in-demand Solana NFT drop turned out to be a “honeypot” for bots duped into buying a fake mint.
Mad Lads, the most hyped up NFT project of the moment, has become the hottest mint for any profile picture (PFP) project in months, topping the charts of the broader market this past weekend. However, bots ended up overwhelming the mint, forcing a 24-hour delay for the drop.
In a move suiting their collection name, Coral, the “Mad Lads” team, fought back against the bots, tricking schemers into spending more than $250,000 worth of SOL on a fake mint.
While the money spent by schemers was all refunded, the scheme by Coral ended up well: with more of the NFTs drop supply being available for people who actually wanted to be part of the project, instead of those hoping to mint as many Mad Lads to flip for a quick profit.
BREAKING: @MadLadsNFT 24H NFT SALES VOLUME IS LARGER THAN THOSE OF THE NEXT 9 COLLECTIONS COMBINED – $8,167,746 VS. $7,781,155 pic.twitter.com/0tVbY129tN
— DEGEN NEWS 🗞️ (@DegenerateNews) April 22, 2023
The Mad Lads collection is a PFP NFT project tied to Armani Ferrante and Tristan Yver – two well-known figures in the Solana ecosystem. Ferrante and Yver are part of Coral, a Web3 firm known for their crypto wallet Backpack. Backpack is an all-in-one wallet that allows token-gated experiences, games, and more through its app, built around what Coral calls xNFTs, or executable NFTs.
With 10,000 PFPs in the collection, Mad Lads is the first NFT project launched within Backpack.
“We decided that we had to battle the botters,” said Coral CEO Armani Ferrante, “and we had to do it for the sake of the project.”
HONEYPOT BITCHhttps://t.co/6Q91RAQigh
— Mad Lads (@MadLadsNFT) April 21, 2023
As the mint date neared last week, Ferrante began receiving Telegram messages from an unknown user who attempted to extort Coral with claims that they can “take down” Coral’s Backpack app, and ruin the Mad Lads drop.
In that same time, the user threatened a distributed denial-of-service (DDOS) attack to overwhelm the Mad Lads mint with requests, and had demanded payment from Ferrante to prevent the attack from happening.
“We didn’t have the money. We’re strapped on cash—we’re fighting to survive,” Ferrante said. Coral had lost over 70% of access to its $20 million raised in its strategic round last fall due to FTX’s collapse.
Beyond fighting bots, Ferrante says, the decision to trick the bots was to fight for a future for the Mad Lad project, where the intention was to build an organic community of collectors who were engaged with the project and the mint.
How did the mass mint happen?
Users with bots or automated programs typically target high-profile high-hyped NFT projects in order to swipe a large number of NFTs from an NFT project’s mint.
The users behind these bots or programs flood the mint program with requests to purchase NFTs en masse typically with the intention to resell at a higher price – or flip – on the secondary market when hype has happened after all NFTs have been minted.
When a NFT project’s mint queue is saturated with bots, it means that there’s less chance for people who may actually have a true interest in the project to be involved in the mint. While projects can set a curated allowlist for authorised wallets to mint – which Mad Lads did – the issue behind Mad Lads’ mint is a bit more complicated.
According to Ferrante, right before the public mint was about to begin for the rest of the NFT supply on Thursday last week, DDOS attacks came.
As Coral tried to mitigate the DDOS attacks, the Mad Lads mint ended up being briefly postponed a number of times. While the Solana network stayed online, Ferrante suspected that the attack brought on a “domino effect” which caused GoinGecko’s pricing API to go down, as “billions of requests” were pointed at the Mad Lads mint.
Billions of requests. Things that went wrong.
– crushed by ddos (and extortion)
– coingecko api down
– twitter spaces broken
– cloudflare ui broken
– rpc node 1 data center rugged
– rpc node 2 unable to handle capacity
– bots trying to rug the public phaseFock it.
— Mad Armani 🎒 (@armaniferrante) April 21, 2023
“There was basically this cat-and-mouse game that started happening where the attacker was trying to reverse-engineer their code,” Ferrante said, “and we would change the antibody tactics and go back and forth, and back and forth.”
Coral then decided to push the Mad Lads mint by 24 hours until Friday night to save the collection from being swiped up by botters. With the extra time, Ferrante’s team cooked up a new strategy to combat against botters.
When Friday’s mint was about to start, floods of DDOS requests came crashing again. However this time, Coral sent two back-to-back updates to the minting app: one that was legitimate and pointed to the real NFT mint process, referenced in the public mint interface; and another that could only be found by reverse-engineering the code.
The one that reverse-engineered the code pointed to a “honeypot” – an isolated location that’s designed to trick botters to spending SOL on a fake mint, therefore receiving nothing valuable in the process. The fake contract honeypot ended up taking over $250,000 worth of SOL, where users who attempted to bot the system were not in line to be in the real NFT drop, which began moments later.
On Friday, the Mad Lads project tweeted “HONEYPOT BITCH,” alongside a link that shows a Solana network account that held the funds from the fake mint. All of the funds have since been returned to their wallets.
Ferrante admits that it’s possible some legitimate hopefuls were caught up with the fake mint. While some Twitter users claimed that they were following the rules but ended up with a useless NFT, Ferrante insists that most of the tricked users were trying to game the mint.
With the Mad Lads mint, minters would have to manually create code to mint a Mad Lad NFT after reverse-engineering the contract code – and if someone were to do it en-masse, they’d have to do the same thing outside of the normal process.
While it’s unclear that this sort of strategy can help curb future NFT drops being swiped up by bots and automated programs, Ferrante believes that this event has been a net positive – as a potential advertising opportunity to its intended audience, alongside buzz and excitement.
“In real time, we were fighting these guys that were trying to extort us at the beginning of the week,” Ferrante recounted. “And it was kind of this very euphoric, crazy event. It was honestly one of the most stressful times in my life.”