Doodles NFT Discord Hacked
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Doodles NFT are a collection of 10,000 hand-drawn NFT images made by a Canadian artist with the handle "Burnt Toast". The Discord server of the project was hacked on February 26th by an unknown exploit. It is unknown how much was taken, and doesn't appear any was recovered. Similar exploits have commonly abused webhooks being given too high of a permission level.
This is a global/international case not involving a specific country.[1][2][3][4][5][6]
About Doodles NFT
"Doodles are a collection of 10,000 NFTs (non-fungible tokens) that are made up of hundreds of exciting visual traits designed by Burnt Toast." "Doodles are a colorful NFT collection of cartoonish figures with unique features and colorful backgrounds. Doodles NFTs were created by Scott Martin (aka Burnt Toast), an established Canadian artist and illustrator. Doodles are made from random combinations of 256 traits. The collection also features 62 hand-drawn Custom Doodles."
"Hand-drawn Doodles include skellys, cats, aliens, apes and mascots. The Doodles collection also includes dozens of rare heads, costumes, and colorways of the artist's palette." "Doodles NFTs are enjoyed for their droll expressions, colorful palettes and the vibrant online community that shares a passion for this project. Doodles are often used as PFPs (profile pictures) on social media platforms."
"The Doodles universe is ever-expanding and new experiences like Space Doodles are only available to collectors. While the universe expands, our brand grows, and collectors can expect exclusive access to the latest products, merchandise and events through ownership."
The Reality
TBD
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 26th, 2022 1:27:00 PM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| February 26th, 2022 4:21:00 PM MST | Discord Account Now Secured | |
| February 27th, 2022 1:32:05 AM MST | NFTEvening Article | NFTEvening reports that the Doodles NFT project's Discord server was compromised by a "hacked bot," according to a tweet from the team. However, the team quickly secured the server and announced that they will reimburse all affected holders. Details of the hack, including the number of affected members and the extent of the losses, have not been disclosed yet. The Doodles team's prompt response was praised by Twitter users. This incident is part of a series of recent Discord hacks in the NFT industry, including attacks on Snoop Dogg's Rap Empire Discord and several other communities. It is essential for communities to take precautions to protect themselves from such attacks[7]. |
| February 27th, 2022 10:10:00 PM MST | Web3IsGoingGreat Mention | The issue is mentioned on the website Web3IsGoingGreat[8][9]. Doodles advised users to disregard all messages and mentioned that they were receiving assistance from their lawyers, Discord, and the community. Later in the day, they announced that they had regained control of the server and pledged to compensate community members impacted by the attack. The extent of potential losses suffered by Discord members who were deceived by messages from the attacker remained unclear. |
Technical Details
TBD
NFTEvening reports that the Doodles NFT project's Discord server was compromised by a "hacked bot," according to a tweet from the team. However, the team quickly secured the server and announced that they will reimburse all affected holders[7]. Details of the hack, including the number of affected members and the extent of the losses, have not been disclosed yet[7]. The Doodles team's prompt response was praised by Twitter users[7]. This incident is part of a series of recent Discord hacks in the NFT industry, including attacks on Snoop Dogg's Rap Empire Discord and several other communities[7]. It is essential for communities to take precautions to protect themselves from such attacks[7].
Total Amount Lost
The total amount lost is unknown.
Some community members were affected[6].
Immediate Reactions
TBD
Restoring Access To The Discord Server
The Official Doodles Discord has been successfully secured. It will take us some time to collect all of the data and complete an analysis of the attack.
Community members affected by the attack will be compensated.
Thank you.
"Not too long ago, on February 27, the collection’s Discord server was penetrated by a hacked bot." "The NFT industry’s beloved collection, Doodles is the latest to fall victim to a Discord hack. Apparently, a “hacked bot” penetrated the project’s Discord server, the team said in a tweet late last night."
"Doodles discord was penetrated by a hacked bot. Any message put out in any of our channels, ignore for now. We are on it. Our lawyers, friends at discord, and the community are helping us. We will update you as we diagnose the situation."
"But the team managed to regain control and secure the server pretty quickly." "Hours later, Doodles announced that it has secured the server and it will reimburse all the affected holders."
"The Official Doodles Discord has been successfully secured. It will take us some time to collect all of the data and complete an analysis of the attack. Community members affected by the attack will be compensated."
"At the time of going to press, Doodles had not revealed more details of the hack. It is yet unclear how many members were affected or what the losses are. However, many Twitter users praised the Doodles team for their quick action."
So sorry to hear about this!
Web3IsGoingGreat Article
The incident was shared on Web3IsGoingGreat[8][9].
The enormously popular "Doodles" NFT project announced on February 26 that their Discord server had been "penetrated by a hacked bot", and that all messages should be ignored. They wrote, "Our lawyers, friends at discord, and the community are helping us". Later that day they announced that they had regained control of the server, and that they would compensate community members affected by the attack. It wasn't clear the scale of losses that may have been suffered by members of the Discord who believed that messages coming from an attacker were from the official team.
Ultimate Outcome
TBD
Total Amount Recovered
The Doodles NFT project has vowed to compensate all users affected by the attack[6].
Ongoing Developments
TBD
Individual Prevention Policies
Individuals can protect themselves by avoiding approving wallet theft and being skeptical of unrealistic profit. Losses can be minimized by storing most funds offline.
Avoiding Approving Wallet Theft
There are two ways which scammers can generally take your funds. The first is with a malicious transaction that you would sign to give them authorization to take funds from your wallet. The second is by sharing your seed phrase.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Be Skeptical Of Unrealistic Profit
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
Improve Your Wallet Security
While this wouldn't prevent the scam, it could majorly reduce the potential loss if most funds are stored offline in a separate wallet from the one which is actively being used for minting or trading.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary failure happened due to an inability for the Discord team to properly secure their Discord server. Permissions on Discord need to be managed carefully and each account or tool should be limited to only the privileges which are reasonable and necessary. It would be recommended to have the Discord setup inspected by an expert prior to launch.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Better education for users in the community would reduce the effectiveness of such phishing attacks on the community.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Finally, an industry insurance fund could be established which would be able to provide relief for victims.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
A good first line of defense is better education so phishing attacks are ineffective.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
It would be recommended to review the security setups of platforms including NFT projects.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance funds offers the opportunity to assist victims.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Doodles (Jul 13, 2022)
- ↑ Official Doodles 2 NFT Trailer - YouTube (Jul 13, 2022)
- ↑ https://www.kraken.com/en-us/learn/what-are-doodles-nft (Jul 13, 2022)
- ↑ https://www.fxempire.com/news/article/not-an-april-fools-joke-bayc-confirms-its-discord-was-compromised-955375 (Jun 19, 2022)
- ↑ @doodles Twitter (Jul 13, 2022)
- ↑ 6.0 6.1 6.2 6.3 doodles - "The Official Doodles Discord has been successfully secured. It will take us some time to collect all of the data and complete an analysis of the attack. Community members affected by the attack will be compensated. Thank you." - Twitter (Jul 13, 2022)
- ↑ 7.0 7.1 7.2 7.3 7.4 7.5 Doodles NFT Discord Compromised—Team Vows To Reimburse Holders - NFTEvening (Jul 13, 2022)
- ↑ 8.0 8.1 Discord server for the Doodles NFT project is compromised - Web3IsGoingGreat (Jul 13, 2022)
- ↑ 9.0 9.1 Web3IsGoingGreat - "Discord server for the Doodles NFT project is compromised" - Twitter (Jul 8, 2023)
- ↑ Ben - "So sorry to hear about this!" - Twitter (Jul 8, 2023)