Open in app

Sign in

Write

Sign in

The Unstacked, Stacked Toadz, Zombie Toadz, FUD FARM Staking Contract Exploit

What happened and what’s being done

Jay Lawpez
4 min readOct 15, 2021

15th October 2021 18:30 UTC
LawpΞz

I’ve written this article in close conjunction with Toad who is one of the lead devs of Unstacked Toadz, Stacked Toadz, Zombie Toadz and FUD FARM. As such, what is written below is not based on speculation, but facts I have worked with Toad to articulate.

In this article we go into further detail on what happened, the impact of the exploit, how it is being resolved and what happens next.

Summary

On the afternoon of the 14th October (EST) an exploit was uncovered in the Stacked Toadz staking contract, when 43 ETH was drained from the community DAO. The same contract was in use by Zombie Toadz and FUD FARM.

Toad and his intern worked tirelessly, methodically and quickly, bringing in other senior solidity devs to help stop the exploit (which was achieved within 2 hours of it being first noticed), and then write a replacement staking contract.

Toad and the respective dev teams wanted all of their investors to understand the full details of the exploit. The NFT community is still small, close knit and changing at a rapid pace. As a community, the devs rely on your trust in their projects. Toad feels it is only fair that they are completely transparent with their supporters and the whole NFT community.

There are things all projects can learn from this to ensure the whole NFT space is stronger going forward.

What Happened?

On 14th October at 13:29 (EST) an exploit was announced on the Stacked Toadz discord. Not long after, the same was announced to ZombieToadz and FUD FARM.

There had been a sudden 43 ETH Drain on the StackedToadz DAO.

Using this exploit, a hacker minted ~1,000,000 $STACK (The StackedToadz utility token) and sold it into the LP pool for ~43 ETH.

The knock-on effect was an immediate large scale sell off in $STACK by whales and others, as well as a drastic drop in the floor price’s of both Unstacked and Stacked Toadz.

The exploit did not reach Zombie Toadz or FUD FARM, although they share the same contract code.

How Did They Do It?

By calling calculateRewards, one could pass the same tokenId any number of times, and claim the rewards for the sum of that amount.

How Was The Exploit Fixed?

Across all staking contracts the dev team immediately reset all of the unclaimed rewards to 0, meaning that the exploit could not continue if the hacker had tried to mint more $STACK.

With the exploit then identified and stopped, a new staking contract was written for all projects.

What is the Impact?

The impact on project holders is that any staked tokens will need to be unstaked, and then staked again in the new contract.

In addition, holders will see their unclaimed rewards set to 0.00 for the time being. The lost rewards will be airdropped to holders upon completion of on-chain analysis of how long each NFT was staked and how many rewards are owed.

How is it Going to be Resolved?

For Stacked Toadz:

  1. 60 ETH from the DAO treasury will be used to buy $STACK and immediately burn it to compensate for the unexpected increase in supply.
  2. 100% of royalty payouts will be diverted to the DAO until the 60 ETH spent is made up effectively meaning the devs will be paying for the 60 ETH buyback (usually, 50% is diverted to the DAO and 50% is paid out to the devs).
  3. By 10:49 PM (EST) on the 14th, the first of four 15 ETH buybacks had already been completed. 471,571 tokens were burned in this first round, which was nearly 50% of what was exploited. (The Etherscan transactions for the initial buy and burn are at the end of this article)
  4. All missing unclaimed rewards will be air dropped to all holders.
  5. The full tokenomics schedule has been updated and is within the #announcements channel of the DiscordFull message link here.

For FUD FARM:

  1. A mechanism will be figured out for all holders who financially couldn’t manage to unstake their tokens and stake them again. The dev team is assessing the best way to do this and will release more detail asap. Please do not worry about losing tokens.
  2. All missing claimed, or unclaimed rewards will be air dropped to all holders.
  3. For FUD FARMS, the 30-day incentivised initial staking phase will be assessed to take into account the pause.

For Zombie Toadz:

  1. All missing claimed, or unclaimed rewards will be air dropped to all holders.

How Do We Move on From This?

In a world as infantile as NFTs, there are always going to be those who chose to pursue a different path in order to get rich quick, destroy projects and the trust in their holders.

It is important to understand that 99.9% of devs want their projects to be a huge success (the 0.01% being the unfortunate rug pullers of this world). They have the best interests of their communities at heart, and want everyone to come along with them on the incredible journey and within the amazing ecosystems they’re creating.

This couldn’t be truer of Toad and his team. They hope to bring success to their community and hope all other communities are successful as well. They hope that by offering this level of transparency with you all that the level of trust you have placed in them and their projects remains.

Stacked Toadz Etherscan Transactions:

BUY: https://etherscan.io/tx/0xb97f1c31f9f179b4728f7fc9e98316d35da67663f5eb9329c01ce597a9bca11c

BURN: https://etherscan.io/tx/0xc95dbac60b6bf707293161346f487b6c7e9f1fc9a25089315d571d09041a15ff

Questions… Please tweet Toad @toad_dev or myself @itslawpez.

Nft
Crypto
Defi
Blockchain
Pr

--

--

Jay Lawpez

Written by Jay Lawpez

190 Followers

I help NFT projects articulate their vision and mechanics

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams