EtherWrapped, a project designed to provide a yearly summary of users nonfungible token (NFT) activity, launched a little over eight hours ago to palpable fanfare within the crypto community.
The website detailed a plan to airdrop YEAR tokens based upon quantitative engagement statistics in users’ MetaMask wallet, or in simpler terms, their number of transactions, volume traded and gas fees, among other data.
Upon verification on EtherScan, a number of well-regarded developers and engineering experts in the space assessed the coding of the smart contract. Meows.eth noted that these parties saw a “presence of a function titled _burnMechanism,” but concluded that it was merely a harmless error by the seemingly amateur creator.
What we noticed during a brief pass was the presence of a function titled _burnMechanism.
This function looked innocent enough, it would fail if you attempted to interact with the contract owner.
What myself and others missed is how might one weaponize it for evil. 7/ pic.twitter.com/CthmAw3a2A
— meows.eth (@cat5749) December 31, 2021
However, unbeknown to all, the creator of the contract maliciously planted this flaw in order to administer the “revokeOwnership” function soon after, designating ownership to themselves and subsequently orchestrating a honeypot scenario in which users could only buy, not sell, the asset.
Consequently, those who had connected their wallet and received the airdropped token witnessed their asset soaring in value, and as…