Dear Bankless Nation,
Visualize Value, consisting of talents like Jack Butcher and jalil.eth, is the team behind the Checks and Opepens collections.
VV’s projects have wowed the NFT ecosystem this year, so the launch of their latest Infinity collection this week captured a lot of attention.
The underlying mechanism is unprecedented and sure to inspire many projects to come. Unfortunately, an attacker just exploited the mechanism’s first implementation for nearly 40 ETH.
For today’s post, let’s walk you through the Infinity collection’s basics, its exploit, and why its design is definitely here to stay regardless of the attack!
-WMP
To Infinity and Beyond, Visualize Value Style 🌌
The Infinity collection 101
Introduced by jalil.eth on August 7th, 2023, the Infinity collection is an experimental cryptoart project designed to facilitate the creation of “infinite editions” with an “infinite supply of each piece.”
Unlike traditional limited-edition NFT drops, where one piece of work is made mintable a specific number of times, the Infinity collection has employed an uncapped supply mechanism, so countless variations are technically possible, plus each of these variations can be minted infinitely.
Non-tradable and fully onchain in being created and completely stored on Ethereum, the pieces cost a fixed 0.008 ETH price to mint. Mint payments were deposited into the Infinity collection’s smart contract, which bears a refund option: burn your piece to redeem your underlying 0.008 ETH at any time, the goal being to make ownership risk-free beyond gas costs.
The big idea here?
With no fees, non-tradability, and the possibility of refunds at any time, the Infinity collection was created to explore art appreciation shorn of financial incentives, and all powered on Ethereum.
Go deeper: Learning Solidity? Check out these helpful Infinity collection smart contract overviews by marka.eth and onion 🧠
The Infinity exploit
Today, August 10th, jalil.eth sounded the alarm after an attacker discovered a flaw in the Infinity collection smart contract and used it to drain the nearly 40 ETH stored within.
These funds were supposed to be earmarked for minter refunds per the refund mechanism described in the previous section. In the wake of the attack, jalil.eth and software engineer cygaar published threads separately breaking down the exploit of this mechanism.
Per these debriefs, we now know the attacker specifically took advantage of a loophole inside the contract’s “regenerateMany” function, which was intended to allow users to change the visuals of their tokens. The exploit process was as follows:
- Step 1: The attacker passed in a single token ID but mismatched amounts to “degenerate” (e.g. 0 and 4341) and “generate” (e.g. 4341 and 0), taking advantage of the lack of a check for matching token counts.
- Step 2: The contract was then commanded to burn 0 tokens and mint 4,341 new tokens for free.
- Step 3: The newly minted tokens were then used to withdraw the contract funds, effectively stealing the ETH.
In response to the attack, jalil.eth has temporarily shuttered the Infinity collection’s website (previously available at infinity.vv.xyz) and Visualize Value announced full refunds for all affected depositors.
Why Infinity mints are here to stay
To be sure, this incident serves as a reminder that rigorous testing and careful code review is always a good thing. Yet on the flip side, the Infinity exploit almost didn’t happen.
“In an earlier test contract on the Goerli test network, this bug did not exist since I checked the length of the inputs are the same,” jalil.eth noted in his initial post-hack thoughts.
This checking function was cut later to save on gas costs, hence the mainnet exploit. That said, the flaw is now understood by the creator and the community, so it’s no stretch to assume the Infinity collection and other inspired projects will rise with updated implementations. In the very least, it’s totally possible.
Down for now but not out, right. The collection’s original announcement noted plans for new features and compatibility across multiple Ethereum Virtual Machine (EVM) chains, so rebooting the project would allow Visualize Value to follow through on its expansion plans.
Yet it’s not just VV and an official Infinity collection reboot that’s of interest here. This “infinity edition” format is a new style altogether in the NFT ecosystem, and it points to new design spaces regardless of what VV does next here.
What I’m getting at is how others can expand on the model!
For example, consider how an artist could add something like a 5% mint tax to an infinity-style mint, so they could keep a portion of the proceeds and minters could still get refunded with 95% of their underlying deposit later. Boom! New monetization model for creatives.
There are other instances you can imagine here, like an infinity-mint system employed in a web3 game as refundable deposits players use to access a rare dungeon, and so on and so forth.
My grand point, then, to close things out? There’s no going back. We’re now poised to see many more “infinity edition” experiments in the years ahead, and it’ll be interesting to track all that’s to come here accordingly!