The NBA’s plan to drop 18,000 free NFTs on its fans has gone awry.
The basketball league yesterday launched a new collection of NFTs called “The Association,” which was intended to provide exclusive NFTs to the earliest members of the NBA’s Discord server. Instead, security vulnerabilities in the collection’s smart contract, the computer code that enables NFTs to be created and traded, resulted in users exploiting the drop, unfairly minting the NFT, and cleaning out the collection in roughly an hour.
The NBA yesterday acknowledged the exploit and said it would work toward a resolution for its fans. Today, the league announced it would increase the size of its NFT collection from 18,000 to 30,000 items in order to ensure everyone who was supposed to receive one will get one.
We recognize the issues with the smart contract which caused the Allow List supply to sell out prematurely. We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result.
NFTs, short for “non-fungible tokens,” are unique tokens that are used to signify ownership over digital assets, such as artwork and other types of collectibles. In this case, each Association NFT represents an NBA player in this year’s playoffs: 75 NFTs of each player from 16 different teams, initially totaling 18,000 NFTs in all. The NFTs are meant to be “dynamic” and will change, and presumably increase or decrease in value, depending on the real-life performance of the player to which it is linked.
Each NFT was to be reserved for early members of the NBA’s Discord server, which just launched on Friday. These members were granted access to an “allow list” (another term for whitelist) that would reserve one free NFT per each Ethereumwallet address registered on the list.
But bugs within The Association’s smart contract destroyed this promise to those fans. A relatively simple exploit allowed users that were whitelisted to grant minting access to other wallets that weren’t on the original allow list.
The contract also didn’t properly keep track of the number of mints that took place per wallet. “If a contract was made, it could mint the entire collection in one transaction” tweeted CaptainDefi, a Twitter user who provided an overview of the code on Wednesday.
🏴☠️ NBA NFTS EXPLOIT EXPLAINED THREAD 🏴☠️
The Association NFTs was exploited today, anyone could mint them totally for free
This all effectively resulted in some users minting as many free NFTs as they wanted, some collecting over 100, and then quickly selling them on the secondary NFT trading market OpenSea for more than 0.30 ETH (roughly $1,000 at the time).
The NBA paused the NFT drop just over an hour into the launch after realizing their smart contract had been exploited.
NBA Smart Contract Bugs🏀
Overall, the #NBA smart contract had major security bugs, overly complicated, and lacked optimization. A friend of mine told me to check out their contract and I noticed the following problems🧵
This, however, isn’t the NBA’s first go-around with NFTs. NBA Top Shot, which captures NBA highlights in the form of NFTs on the Flowblockchain, gained notoriety last year and is largely responsible for the rise in mainstream attention in sports NFT collectibles. While there’s no clear relationship with Top Shot in the NBA’s latest drop, the league had promised some extra rare Association NFTs to Top Shot collectors.
Despite yesterday’s exploit, the NBA appears poised to move forward with its plans for its Association NFT collection. “We’ve identified the wallets on the Allow List that were not able to mint an NFT yesterday and will be airdropping those fans an NFT from The Association collection,” a representative of the NBA announced in its official Discord server.
The best of Decrypt straight to your inbox.
Get the top stories curated daily, weekly roundups & deep dives straight to your inbox.