FishyFam looks like an honest oversight
Let’s start by saying I have lots of Monday morning quarterbacking for this team. However, when you’re running fast and on a tight budget it can be hard to do things “the right way.”
Disclaimer: I own #607
It appears the FishyFam FUD is almost exclusively based on one thing and one thing only: a smart contract exploit that was overseen before mint day. The smart contract only checked for how many FishyFam NFTs were in the wallet to determine whether it would be allowed to mint another NFT. It should have checked how many the wallet had minted and moved. So, a user on the whitelist could mint their 3, move them to another wallet, and mint more. Add a savvy hacker with a script and you have a problem.
The whitelist was already oversubscribed. That alone was a red flag that the team wasn’t executing strict control.
So, what went wrong?
There was a white list [link to original whitelist] and it was already full before I found the project. They had TONs of attention and serious community support.
The simple details
They opened the mint and a few wallets minted their allotted 3, and then immediately transferred those NFTs to other wallets. This allowed them to mint more than their original allotted 3 NFTs. Many of the whitelist members were not allowed to mint their allotted NFTs. And, that meant that they couldn’t profit in the secondary market.
The rumor is approximately whitelisted wallets were not allowed to mint any NFTs and missed out on the resell profits.
This is one of the reason some projects whitelist wallets connected to previous legitimate projects. Some founders use social proof to limit risks. But, a project should also have a skilled contracts developer audit the contact! Who failed here?
The Solidity contract author should have restricted the contract so that it disallowed minting to any wallet that had ever minted 3 NFTs. From the FishyFam contract:
uint public PRICE = 0.03 ether;
uint public MAX_ORDER = 20;
uint public MAX_SUPPLY = 10000;
uint public MAX_WALLET = 3;
uint public WHALE_WALLET = 15;
If you don’t understand the quid pro quo nature of the social media driven NFT game, it may be hard to understand how whitelist members call this a scam.
Simply put, they banked on buying their NFTs at .03 ETH and then reselling them at .5 ETH (quite the profit). They feel that promoting the project and sharing it online earned them the right to make profits on the NFTs. And, that is the social contract of this kind of NFT promotion.
Rumors that the art was stolen
Almost immediately a combination of legitimate criticism and clout chasing FUD took over Twitter Spaces. Several accusations of scams and theft flooded the twitterverse.
There was a complicated back story related to the art itself.
The original artist contracted to do the work created the baseline character. However, the artist and project owners couldn’t come to an agreement on completing the project. They parted ways, supposedly under good terms.
Almost immediately, rumors began to spread that the FishyFam founders stole the art.
Clearly, someone talked. For founders, this is something to consider for its severe weight. You must pay your artists, they must participate in the profits, and you must have a good relationship with them. This culture is heavily dependent and reverent of the creatives that make this art. The project would benefit from the artist publicly defending the work and the character of the team.
What about the money?
The distribution on this project is handled by the individual that controls the wallet that is paid when the NFTs are minted. It seems a smarter DAO distribution method could have protected whitelist members. For example, if whitelist members participated automatically in a fixed pre-sale pool of NFTs they would have been guaranteed some degree of compensation for their efforts. That, along with a solid Solidity audit, would have avoided the tribe’s internal financial conflict.
Where were the white hats?
I shared the contract with my team to audit it for fun, but we were working overtime on a paying client’s work. So we didn’t bother auditing the contract or reporting a bug since we didn’t get to it in time. I’m guessing a lot of other white hats did the same. Or, wanted to wait for the painful and very public lesson.
Some of us love the chaos! Finding the loophole wasn’t complicated. It’s a small detail, and a mature auditor would have found it.
So, what did we learn?
- Pay your artist and cut them in on the long term deal
- Create a policy and plan to compensate people who feel the deserve it
- Invest in contract auditing
Like I said above, this is Monday morning quarterbacking. We launch projects half baked all the time. We do typically call them “beta.”
I can provide some simple solutions to the problems that haunt this project.
Smart contracts and smarter deals
When you do an artist contract, make it clear that they will speak positively about the project. Contract them to do so, with liquidatable damages (meaning you can sue them for money if they trash talk the project). Engage them up front with a clear understanding that you will defend your reputation and business.
Make your actual partners (which will include creatives) participants in the winnings. Put them on your side, both with the cash up front and with winnings from the project. NFT culture reveres artists, and this is a cultural game. So, make them winners and partners all the way.
Create a pool and a clear plan for how people get paid if things go well or if they badly. Take time to game plan good and bad scenarios and put that in writing. You can’t make people understand complicated strategy. This won’t protect you from angry mobs should things go awry. But, it will be a game plan you can execute if things do go badly and some will respect you for adhering to the plan. “Wait and see what we do” is not a good strategy with angry partners.
Setting aside a profit pool for whitelist members would encourage them to talk up the project even if they missed out on the early money.
Spend the extra money on contract auditing. Put up a bounty, ask for help, and pay someone to double check your work. We’re handling money here, and there are big stakes. A third party audit can save you a lot of headaches.