Ethscriptions is a new Ethereum-based protocol developed by Tom Lehman, co-founder and former CEO of Genius.com. Launched in June 2022, Ethscriptions allows users to mint non-fungible tokens (NFTs) and embed arbitrary data into the metadata stored on-chain. This enables creating unique digital assets with personalized messages and content recorded directly to the Ethereum blockchain through transaction calldata. The innovative use of calldata allows for new types of NFTs beyond just art and collectibles. However, Ethscriptions recently suffered a significant hack resulting in 200 digital collectibles being compromised according to the project’s creator.
According to creator Tom Lehman, the core Ethscriptions protocol and other applications utilizing the technology were unaffected by the recent exploit. However, a considerable number of Ethscriptions non-fungible tokens listed on the main Ethscriptions.com marketplace were compromised.
Lehman stated on Twitter that approximately 123 individual addresses lost a total of around 202 Ethscriptions due to the attack. He acknowledged that while new protocols often experience growing pains, this hack resulting in stolen NFTs was an unfortunate setback. Lehman emphasized that only the NFTs on the Ethscriptions.com marketplace were impacted, not the underlying Ethscriptions technology itself. Still, over 200 unique digital collectibles created using the novel protocol were hijacked by the hacker exploiting a vulnerability in the marketplace’s smart contract code.
The total dollar value lost in the Ethscriptions hack is uncertain. However, data from OpenSea shows some Ethscriptions NFTs have recently sold for up to 5 Ethereum, around $9,600.
Creator Tom Lehman told Decrypt that while any theft of Ethscriptions is unfortunate, the stealing of Ethscription #56 was particularly “brutal.” Early minted NFTs are often seen as more rare and valuable in a collection. Lehman lamented that this scarce, early Ethscription was compromised in the exploit.
Though the monetary amount stolen has not been confirmed, some of the 202 hacked Ethscriptions could be worth thousands based on the premium pricing of rare, low mint number NFTs. Lehman expressed regret that holders of coveted early Ethscriptions were impacted by the attack.
According to Tom Lehman, the hack of the main Ethscriptions marketplace is especially disappointing because it was intended as a model for other platforms looking to integrate Ethscriptions.
“The purpose of the marketplace was to demonstrate to others how to build Ethscriptions marketplaces and help grow the ecosystem,” Lehman stated. “Unfortunately, we failed in that regard.”
Lehman took responsibility for the vulnerability, explaining the exploit stemmed from a flaw in the smart contract code he and his co-founder Michael Hirsch authored. The bug enabled withdrawing Ethscriptions NFTs that did not belong to the hacker from the marketplace contract.
As the initial flagship marketplace meant to showcase Ethscriptions technology, Lehman regretted that its security lapse undermined that goal. However, he reiterated that only the Ethscriptions.com platform was compromised, not the core Ethscriptions protocol itself.
Tom Lehman explained that while the Ethscriptions protocol saves on smart contract storage costs, this requires more strategic use of contracts for things like marketplaces. “You have to figure out a way to either give smart contracts information or make it so smart contracts don’t need that information,” he said.
According to Lehman, the hacked Ethscriptions.com marketplace will relaunch after implementing protocol adjustments to address the vulnerabilities. He has contacted many affected users, praising them on Twitter as “the earliest adopters” of Ethscriptions.
Lehman acknowledged the challenges in minimizing blockchain data storage while still securing complex smart contracts like NFT marketplaces. The Ethscriptions team is working to enhance the protocol’s security for contract interactions before relaunching their marketplace. Despite the setback, Lehman expressed gratitude for the early supporters of Ethscriptions and their innovative use of Ethereum calldata.
Ethscriptions differ from typical NFTs in that the data is stored directly in Ethereum transactions rather than minted as ERC-721 tokens by smart contracts. Per Dune Analytics, approximately 474,000 Ethscriptions have been created to date.
This novel protocol emerged after the popularity of Ordinals, which allow pseudo-NFTs on Bitcoin. Ordinals have sparked new experimentation on Bitcoin’s blockchain.
Creator Tom Lehman first revealed the Ethscriptions marketplace exploit on July 14th. As of July 17th, Ethscriptions.com still displays a warning about the compromised contract and advises users to withdraw their NFTs.
While innovative, storing NFT data in calldata presents security challenges for associated platforms, as the Ethscriptions case demonstrates. However, Lehman remains committed to enhancing the protocol and relaunching the marketplace after addressing the vulnerabilities that permitted over 200 Ethscriptions to be stolen.
