REKT Vulnerability & Next Steps
REKT
4 min read·
Shit happens sometimes. We regret to say that our smart contract has a vulnerability, and the funds kept there were drained. Wallets in your profiles are SAFE. Your creator fees are SAFE.
First, we want to apologize to you. You were so excited, we were so excited. We failed, and we must apologize to you. We bet this is not the end.
Please read the information below carefully about what we will do next and how to export your wallet.
What actually happened? Our smart contract was drained due to a vulnerability. In other words, you could buy multiple cards and immediately start selling them 1 by 1 higher than you paid for them. Some bad actors figured this out and initiated tons of wash trading activities, buying 3 cards in one TX and then selling them 1 by 1. Here are a few examples:
https://basescan.org/address/0x53d0a58b5a02d7c09d1b00a7a1357f61cc8ca6c8#tokentxnsErc1155
https://basescan.org/address/0xfb8f7813b3da47e58e2e99d4a5f60680cc0a18b8#tokentxnsErc1155
https://basescan.org/address/0x27dc7ee17e3c72b7b1e7b1b18e32b1c8b9d0a42f#tokentxnsErc1155
It will take some time to identify all these attackers and if required, we will publish all these FIDs. This way, you can personally verify that these individuals are not and cannot be associated with our team in any way. Technically, they are not hackers; they simply have taken advantage of vulnerability.
Honest and wealthy people, of course, would not take advantage of such an opportunity, but we clearly understand that everyone in this world has different living standards. Perhaps these bad actors had unbearable financial difficulties, and now, due to this act, they will be able to survive. Perhaps they themselves do not realize the scale of the baseness of their act, but they “stole” funds from an early-stage project that was trying to survive for almost 1.5 years after numerous pivots. The REKT team had to work several jobs in order to have money to live and develop the project. But we went out of our way for the sake of users who were waiting for our project and wanted to use it honestly.
Some stats with proofs:
we have almost 6k registered users (check # of pages in our leaderboard);
in fact, only ~2100 users were able to mint their cards BEFORE we stopped minting cards for them (we went out of API limits on Neynar)
approximately 700 accounts bought 2+ cards;
508 users were active traders
REKT’s treasury has ~ 1,83M $DEGEN: 0xD6Cc72258277126ae691BdaF397f4674dF71c3AF
Prize Pool treasury has ~ 1,93M $DEGEN: 0x7a8f876fB67c9DCb4D5A8f4BB41170dD5c6d8CF1
Total amount deposits (excluding bad actors): 11,202,825 $DEGEN
The REKT team will start partial refunds within 24 hours. We are still making sure that we have accounted for all affected users.
The list of users affected: https://docs.google.com/spreadsheets/d/1i_LRWPhy4cz7pt4QinfIWDAbdiAxUifilVWnfP1BacU/edit?usp=sharing
If you believe you were affected and can’t find your address here, please DM us.
So, what we are going to do next:
we are disabling most buttons in our app (trading, deposit, buy, sell).
WE ARE ADDING A FEATURE TO EXPORT YOUR WALLET (private key) so you can connect it to Metamask and control your funds. You can keep funds there or withdraw them.
We are eager to relaunch our app, but only AFTER audits. We are not leaving, and we will stay here until we “die.”
We will take ALMOST EVERYTHING that the REKT team has made and use these funds to refund initial deposits. We should keep some funds to order a security audit.
Unfortunately, we have to take Prize Pool for refunds as well. But we will provide you with points and potential airdrops in the future.
All points will be saved and restored to everyone except bad actors.
How to export your wallet! Connect to the Uncuts app. Press the Withdrawal button, and then you’ll see the “Export My Wallet” button. Then follow Privy's instructions. Be careful; it provides your private key, and you take responsibility for your funds. You can easily import this wallet into your Metamask and send funds anywhere you want.
Unfortunately, at this stage, we can only refund the amount of the initial deposits and only to those whose profits from using our service did not exceed the initial deposit. I hope you understand. But we will give you as many benefits and perks as possible from using our current app and future ideas. If your realized profit < deposits, we will refund the difference to you.
First, we will proportionally combine REKT’s treasury and prize pool and refund user deposits. These funds won’t be enough to cover all losses, but once we do that, we can figure out what is left. This process will be semi-manual.
Then, we will relaunch our app and we’ll pay a % of our profits back to affected users. You can try to trust us again, or leave and wait until we recover your losses as much as we can.
Now, let’s figure out this stuff. We understand that your emotions will take over, and potentially, a lot of members who joined us will say that we are scammers, committed fraud, or whatever. But let's face it:
👎 we fucked up with a smart contract (vulnerability). That’s true.
👍 we are not leaving
👍 we are not anonymous
👍 we are refunding your deposits. And will work to recover as much money as possible.
👍 we want to relaunch our app and will refund a % of our own profits back to affected users.
👍 we have shown that our team can launch something hyped
👍 we were always transparent and will continue staying on the same transparency narrative.
Ok, let’s make a summary. We fucked up, but we are not leaving. You can always DM us to chat about it. We will refund the initial deposits, first partially, and then recover the rest ASAP. If you still trust us, you can wait for the next release alongside the security audit report.
And yet, we will cope. Again. And our team wishes these bad actors happiness. Maybe having solved their financial problems, exhaled, and relaxed, they will think about their actions. And there is no judgment more terrible than the judgment of your own conscience. And in the end, we are grateful that our vulnerability was pointed out to us, albeit in this way. There is no limit to perfection, and this situation will only make us stronger and more competent so that in the future, it will be even more comfortable and safe for our users to use our service because we have been making it for years, not just a one-day project.
Hello sir, I deposited 9000 degen to your site with this wallet 0x2163e5710a96ace904c9a6c49bb7f26a55fd6f45 my id name : @0xtearz.eth I bought two cards in your app, the next day trading them is not available this is a very unpleasant situation for me and I hope you'll respond. cant see my wallet in list
Dear friend I was very shocked and I really liked your game. I'm sorry it happened and I understand how hard it is. My name is on the injured list, and even though I need this money, I would like to be with you and support you until the end of this airdrop season. I hope you come back strong before the end of the Airdrop and make everyone who was affected happy with a lot of profit. An important point and question I deposited 14,000 DEGEN and withdrew the amount of 2,487 DEGEN . Now my balance should be 11,513 DEGEN , but 10,500 DEGEN is recorded in the list of victims, why?
I'm shadow-banned as well...it's crazy @wenzel on FC. Gotta check my account. Appreciate your honesty...sucks balls that you guys got rekt. Gotta check my account.
Guys, my nickname is @maklaud both in the forcaster and in your application, I have contributed 30,000 of my degens, and I don't really want to withdraw them, but I can't contact you in any way, since my profile is in shadowban, you don't see my message in the forcaster. look at my profile, I am an honest degen, subscribe to me to see my messages in your posts, or ask @dvr.eth or someone else from the team to unban me. among other things, I run my channel /hytopia, they don't see my messages there either, they end up in the recent section, because of the shadowban, you'll see for yourself I'm not a bad user.
patiently waiting on my refund even though it’s less than I would have gotten for selling my own card
How do you know what you’re getting as a refund?
check the google sheet linked in the article make sure to search for your uncut wallet address and not your usual wallet https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps
Does that not just show what’s freezed or what we spent?
disregard everything I said. It was a complete rug
You and me both, should’ve sold when I had the chance😭
Uncuts @onrekt カード購入していた方、参加待ちでデポジットしていた方、要対応 👉概要 一回のtxで3枚以上をbuy→1枚ずつsellというwash tradingにより資金流出 https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps?referrer=0x6e890806a35d1a6b9b94a43c6d832b26b532c8fe
i've 182.000 DEGEN stuck on the fantasy league cards game AMA 😭💀
How did this happen?
https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps
it is deeply regretted
we deeply regret being that eraly ngl
Interesting game bro
now that we got rekt it got a lil less interesting for me ngl https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps
事態の把握はまずこちらの記事を見ましょう。 “「帳簿上の利益」や未実現利益は返金できません。現在、カードは無価値ですが、その場合、何を提供できるか最善を尽くします。” とのこと。 https://warpcast.com/onrekt/0x6816581d
カード投資してるから早く解消されてえ〜‼️💦 39 $DEGEN
/onrekt の状況と返金対象者、引き落としについてまとめます。 *日中に再掲するかも(恐れ入ります) *スレッドに続く https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps?referrer=0x6e890806a35d1a6b9b94a43c6d832b26b532c8fe
/onrekt 側のスマートコントラクトに脆弱性があり、資金が流出。 1回のBuyで複数枚の同じカードが購入でき、自身のトレードだけで購入金額より高く売ることが出来てしまう状態に。
現在はDeposit, Tradeすべて停止中。 なお「Uncutsでの利益 < Deposit金額」に該当するユーザーのみ払い戻しを24時間以内に対応を始める方針。 対象者は以下 https://docs.google.com/spreadsheets/d/1i_LRWPhy4cz7pt4QinfIWDAbdiAxUifilVWnfP1BacU/edit#gid=2045709574
Uncuts上のWithdrawは機能しているので、変にWalletの秘密鍵をインポートするのでは無く、シンプルにご利用のWalletにUncuts上の資金を引き落とした方が良さげです(運営もこちらを推奨している)。
まとめありがとうございます 200 $DEGEN
恐縮す.. DEGENまでありがとうございます🙏!
参考になりました! 100 $DEGEN
情報ありがとうございます!
とんでもないです! ちょいと残念ですね。
ですねー 盛り上がりそうだったのにー (出遅れてなんもできてなかったです)
まとめありがとうございます 300 $DEGEN
kendamaさんおはです! カード2番目に買ってくれてたっすよね.. 復帰を期待したいですね。 貴重なdegenありがとうございます🙏
アムロカードとセットで買ってて上がって喜んでましたw 復帰するといいですね
I just subscribed to @onrekt on /paragraph! Check it out:
We identified bad actors and found a vulnerability in our smart contract. Some part of the funds is affected. Please read the article below carefully, where we’ve explained our next steps and your actions. Then, watch carefully what @kopievskii posts https://paragraph.xyz/@onrekt/rekt-vulnerability-next-steps
just another day in crypto 😅 😅 😅
if you were affected, please DM @kopievskii
get some rest, ofc I'm out rn on the card purchased. will wait for word on next steps.
Anyone who’s been reading on the app / deposited funds?
Soooo… you’re going refund our deposits that have been used for trading?
Yes
What is the process for this for those affected? And when can we expect refunds to hit?
Wow amazing, only deposited 10k but this is reassuring
It's okay, shit happens. Pushing for a v2! Great idea, can be executed even better. 111 $degen
If the refunds and stuff happen, I'll still support you guys and check the new and audited version out too. It sucks, but that's part of it.
Well, this is ironic... But learn from it and keep building.
Can’t wait to see the FIDs of the perps!
rekt
@kimono
That explains why I had 7 buys in the first minute and then it went down to 3. rekt.
that's a shame. Not sure they're bad actors necessarily, I know a few ppl who bought several cards from the same person and assumed that was normal, maybe you would have needed more clarity on rules and what we can / cannot do with the cards?
if this is performance art, i'm here for it.