MetaVault #3: The Moon Goes Dark
Pixel Vault's first big security challenge and their response to the community
This is MetaVault, a weekly-ish newsletter that tries to make sense of the Pixel Vault universe: PUNKS Comic, MetaHero, United Planets, DAOs within DAOs within DAOs.
On Halloween, the final hours of the Planet mint and burn for the Moon DAO token had a celebratory !vibe. More than 16k+ planets had been minted already and only a couple hundred Moons remained. GFunk, Beanie, even Odious — everyone was posting to Twitter about getting planets before they were off the market. You could feel the buzz.
Meanwhile, the NFT world was descending upon New York for NFT.NYC. Lots of posts about parties, art work in Times Square, IRL interactions. People quickly realized that the uniqueness of our community was going to make this a very special week.
A huge PV release was winding down as NFT.NYC was ramping up. It was all coming together perfectly. And then…
I was watching the Discord for announcements because in the last Town Hall GFunk mentioned “big news shortly after the close of mint to reward people who have faith in the project.”
Potamus posted to the Announcement channel in Discord at 5:46 PM the following:
That’s it. End of message. Hmmm.
I jumped straight into the PVFD channel to see what was cooking, excited to get any insight into the “big news.” And that’s when I heard the first rumblings.
something something, moon dao, comics, burn, exploit, opensea, 2 ETH…
- A person was discovered on OS who was minting a lot of Moon DAO's and selling them immediately for cheap offers.
- However, he wasn't burning any comics. But comic burning activity was incredibly high, with tens of comics being burned. A member here confirmed he didn't burn his comic and that is was stored on the ledger.
- PV team was tagged and started investigating immediately with whole tech team. The contract is now paused.
- These people weren't hacked, but it seems the contract was exploited, which allowed the comics to be burned for the Moon DAO tokens, that were then sent to one address.
The original summary post was at 4:00 PM — but they and GutterMindd were on it early, starting at around 3:20. By 3:43, VGF was asking for a link and transaction hash. By 3:50, GFunk messaged in the PVFD channel:
I have the devs on it
At 6:44 PM, GFunk posted a resolution to those affected:
We will issue a special edition comic 1 to those affected - it will be numbered to roughly 60. We will physically print this edition as well and serialize. These will be enabled to stake for PUNKS as well. Further, these comics will receive Pixel Passes. Free mints for life. With regard to the moon - we are going to reissue a new moon DAO to rightful holders only. The existing moon will be “The Dark Side of the Moon”. It will have whatever value people assign but no DAO.
From puzzling OpenSea transactions to verified exploit to a solid resolution — all within three hours.
I have no insight into the team’s thinking then, what they’re doing now, and how they’re planning for increased security in the future (yes, this newsletter is the premier publication covering Pixel Vault — but no inside information… yet!). But let’s dive into PV’s official response on Twitter, tweet by tweet.
Pixel Vault’s Response
Let’s say you had two comics and wanted to burn one, keep one. You could go on the site and pre-approve the Moon burn to make it easier and faster for you to burn when the Moon was available — remember, 17 members of the community thought the moon would go so fast they burned straight from the contract the instant it was announced and lost their comic (which birthed the terrible name I came up with that the community has roundly rejected out of apathy: Lost Lunar 17). Maybe a collector burned that one comic three weeks ago when the Moon burn was launched and left their other comic in their wallet, as anyone would. Well, the exploit allowed the exploiters to use that pre-approval mechanism to send the comic to the burn address and receive a Moon DAO token to an address of their own.
The exploiters immediately posted the minted Moon DAO tokens on OpenSea with low Buy Now prices (~2 ETH) — many getting snatched up soon after posting. The mass minting and low prices was the tipoff to the PV Discord that something fishy was going on.
58 OG comics gone forever. Many of them were low serial numbers. Devastating.
Some in the community asked if PV had a way to restore the comic after it was burned? To my knowledge, the short answer is no. Could PV provide new comics and back-serialize them? Again, no.
Why did they introduce this pre-approval mechanism? PV has leaned heavily into reducing gas wars — and gas fees in general. Mint Pass #1 and the planet sale are examples. They use a mix of technical ingenuity (ERC1155 tokens, pre-approval) and supply/demand signals (high supply, longer minting periods) to try to make the experience frustration-free.
I’m not a cyber forensics investigator, nor do a play one on the internet. So I can’t provide a play-by-play on the transactions or the features in the contract that left it vulnerable. I think it’s interesting that PV uses the terms exploiters and perpetrators, plural. There must be enough evidence to suggest that it was a coordinated attack from multiple parties.
I’m also not a lawyer. Maybe someone like Jacob Martin, the NFT Attorney, could help us understand the legality and criminal punishment for exploiting a contract to get something that wasn’t yours. I think it’s important to remember that this was a $1M+ heist (58 comics valued at 5 ETH).
This would be the absolute minimum I’d hope the PV team would do: figure out a cool way to replace the stolen comics. They ticked all of the boxes here. The 58 comics lose no utility and gain a fair bit of notoriety. I think most in the PV community were satisfied with this part of the response.
Curious to see the updated cover design. This special edition will become sought after on the market. There will now be 3,313 OG PUNKS Comic #1 and only 58 Special Editions. Looks rare.
A few things before diving into this element of the response:
Exploits Suck for Everybody. They’re bad for Web3, the community, the company, the dev team, and innovation. Trying new things in a very new technology paradigm comes with inherent risk. But when you’re bitten by an exploit, it can make everyone nervous about the project.
OG Comics = Genesis of Pixel Vault. GFunk and the team see PUNKS Comic #1 as the genesis. It’s not a coincidence that they continue to drive value to people that invested with them early and hodl their first project. It’s what set the company in motion. Seeing these grail comics go to the burn address had to make the whole company sad.
Partnerships. This kind of news isn’t good when you’re racing toward a large corporate partnership to launch comic #2 and in deep discussions with major game studios about Web3 integration. If the NFT community can get freaked out when this happens, the normie world could get too spooked to play in our sandbox. I imagine the team had to do some damage control.
All of this leads me to believe that Pixel Vault went above and beyond by providing PixelPasses to everyone affected to show how serious this was and how much they cared. Free mints for life is a huge payback.
Several of the affected collectors were very excited to get the PixelPass. And several of the non-affected collectors were bummed. They felt it de-valued the PixelPass benefit provided to winners of the MetaHero Core giveaways. Previously, the only way to get your hands on the PixelPass privilege was to win a Core. Pixel Vault never said that was the only way to EVER get the PixelPass privilege. It may have been the first of a hundred ways. But it’s now the first of at least two ways to get the pass.
The second thing that many don’t realize is that the PixelPass isn’t an NFT — it’s a benefit to holding a certain asset or set of assets. From my understanding, collectors who won a Core aren’t airdropped a PixelPass that they could then sell or transfer. It’s almost like being on a whitelist. The same will now be true of the 58 who hold a Special Edition.
Interesting enough, at least one Core winner (Janky Warhol) was one of the affected collectors. Their response below:
So the approximate 700 rightful owners of the Moon DAO token will get a new Moon DAO token airdropped to their account. The original Moon token will still exist, but will be stripped of all Pixel Vault value — meaning it’s not included in the United Planets set, won’t have a share in the UPDAO bag, has no Moon DAO voting rights, and hodlrs won’t be able to claim any Moon-specific gaming features and benefits (land, resources, etc…).
However, it won’t be stripped of its market value. I’ll be curious to see how this plays out. In 10 years, will owning a Dark Moon mean something to the larger community? If you’re a completionist, having all assets will certainly have meaning and value to you. Any predictions on what the first Dark Moon sells for? 0.2 ETH? 0.5ETH? 1 ETH?
As for those who unfortunately bought the stolen moons, they’ll get reimbursed but not receive the new Moon DAO token. Not sure if they’ve already been paid or when they will. That’s not an insignificant amount of ETH for both collector and Pixel Vault. Good to see the collectors will be made whole.
Overall, a solid response by the PV team. The fact that this story died down very quickly is a testament to the fact that the community at large accepted the response. I’ll be looking for ripple effects in the way Pixel Vault approaches aspects of this project in the future. Will they continue to lean into technical methods to make the experience better for the community? Will they emphasize security implementations deployed with various mechanics to ease any lingering concerns?
Minting Bonus? GFunk mentioned “big news when the mint closes” in the last Town Hall. They’ve had their hands full with the Dark Moon episode. I think we can expect something soonish.
Planet DAO Token Sale. DONE! Over 17k planets minted.
Burn for Moon DAO Token. DONE! Ended with a bang, huh?
New Moon DAO Token Airdrop. Not sure on sequencing, but I believe PV will airdrop this prior to snapshots and the larger Planet Giveaway. Second week of November is my guess.
PUNKS Comic #1 Special Edition Airdrop. Same here. They’ll need to airdrop the Special Edition to fairly distribute the Planet Giveaways. Second week of November is my guess.
Planet Minting Bonus. As soon as they clean-up the Moon mess, I expect a surprise. Second week of November.
MetaHero Core Giveaway. Second week of November. Good way to get the community juiced again…
MetaHero Identity Snapshot & Free Planet DAO Token + MintPass 2 Claim. Expect this to move back a week or two. Third week of November.
Planet DAO Giveaways to Holders of Pixel Vault NFTs. Expect this to move back a week or two. Third week of November.
Planet DAO Token Snapshot for Free MintPass #2. Third week of November.
PUNKS Comic #1 Physical. Third week of November.
Staking: PUNKS Comic #1 and MetaHero Identities. Third week of November.
MintPass #2 Claim. Third week of November. Expect several of the previous items to work in parallel.
MintPass #2 Claim. First week of December.
PUNKS Comic #2. Mid-December.
Merchandise Tie-in with PUNKS Comic #2. Mid-December. Super exciting rumblings on the PVFD Discord. /// amirite?
Origin Stories. TBD. In progress. Expect these to start rolling out with a fairly normal cadence either by the end of the year or early next year.
MH Sidekick minting via MintPass #2. Q1 2022.
Game Platform on Mercury. TBD. Added to keep in our minds moving forward. Expect big news on who the game studio partner is later this year or early next year.
3D Avatars for each MetaHero. TBD. Added to keep in our minds moving forward.
TV Series. TBD. Expect big news far in advance of a series ever being made.
By the Numbers
PV Unique Holders: 9,791 (wow, nearly 500 new holders added in less than a week!)
PV Core Sets: 1,585 (this number was 1,619 last week — I expect it to go back up when the Special Editions are airdropped)
PUNKS Comic #1: 3,313 (this number will go up by 58 when the Special Editions are airdropped)
MH Cores Remaining in Giveaways: 110
United Planet Sets (All 9 planets + Moon): 74
This is one I check on every couple of weeks: Leprechaun hat + Charm suit. For months there were only four and all were from Saturn. I’ve been looking for coded coherence in the algorithm — thought this might be one. Alas, #5750 was minted recently and she’s from Saturn!
Beanie of the Week (BOTW)
The Cores are market steals.
Some Disclaimers: None of this is financial advice. DYOR. And yes, I’m obviously a PV collector and long-term hodlr. Not a whale by any measure (maybe a squid?), but want to be transparent on what I’m hodling: