<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>The big bad wolf.</title>
        <link>https://paragraph.com/@the-big-bad-wolf</link>
        <description>undefined</description>
        <lastBuildDate>Tue, 14 Jul 2026 23:02:56 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[How I got an early howler]]></title>
            <link>https://paragraph.com/@the-big-bad-wolf/how-i-got-an-early-howler</link>
            <guid>M9Mvp1Xhv1zn7qPaxDj7</guid>
            <pubDate>Sat, 26 Feb 2022 15:00:14 GMT</pubDate>
            <description><![CDATA[… and why not everything that you don’t understand is a scamYesterday saw the launch of howlerz, a much hyped “stealth” NFT launch. This meant no website, no contracts, and no precise launch date. I only heard about howlerz yesterday afternoon about four hours before it launched, and the person who told me about it sent me a link to howlerz.io, but I still managed to mint a howler with an ID in the low 1,000s before the website was (properly) live. Again, I had no insider information and almo...]]></description>
            <content:encoded><![CDATA[<h2 id="h-and-why-not-everything-that-you-dont-understand-is-a-scam" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">… and why not everything that you don’t understand is a scam</h2><p>Yesterday saw the launch of <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://twitter.com/HOWLERZNFT">howlerz</a>, a much hyped “stealth” NFT launch. This meant no website, no contracts, and no precise launch date.</p><p>I only heard about howlerz yesterday afternoon about four hours before it launched, and the person who told me about it sent me a link to howlerz.io, but I still managed to mint a howler with an ID in the low 1,000s before the website was (properly) live. Again, I had <strong>no</strong> insider information and almost no time to prepare. So how did I do it…? Read on to find out.</p><p>Firstly, you should know that I’m a software developer with a fair amount of web3 experience, and a lot of more general front end development experience too. I recently got interested in NFTs, mostly because of browsing opensea for a new profile picture and actually getting really into some of the art. When I heard about the howlerz drop, I checked out the twitter and really loved the art style, so I decided I’d try to mint one.</p><h3 id="h-getting-set-up" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">Getting set up</h3><p>I’d previously tried and failed to mint a tubbycat, so I scraped the blockchain for the gas prices used by the winning minters there, and realised they were pretty damn high (&gt;18,000 gwei). I set up my metamask to use “advanced” gas fees, and set both max priority and max fee to a number in this realm that I was comfortable with. Awkward fumbling at go-live would slow me down.</p><p>I also downloaded a <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://chrome.google.com/webstore/detail/auto-refresh-with-notific/hdokhoidbfbodcgoeacbddacldjgnkjc">chrome extension</a> that automatically refreshed howlerz.io every 2 seconds and notified me with some spoken audio when it changed (settings were “Advanced options &gt; stop when page includes “howlerz” - the holding page had no text).</p><p>That was literally it. Then I got back to my life (working at my computer).</p><h3 id="h-getting-lucky" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">Getting lucky</h3><p>At least 2 different versions of the howlerz website went live. The chrome extension did its job and the site loaded with 0000 mints shown in the corner. I immediately selected “1” and clicked mint. Nothing happened except a default browser “alert” notification popping up with something like “undefined” written in it (I forget the exact details).</p><p>My web developer instincts kicked in, and I checked the console which (in the first instance) had lots of console logs, and <strong>unminified</strong> code published (this is code that is <em>easy</em> to read - production code is minified to save bandwidth and obfuscate code, so it’s very hard to read). One of the variables was called <code>CONTRACT_ADDRESS</code>, so took that address and navigated over to etherscan to try to mint using the etherscan UI directly, but the contract hadn’t been verified so there was just a load of bytecode and no “write contract” UI.</p><p>This actually turned out to be very lucky - the contract address I had was <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://etherscan.io/address/0x5fb76efa5266a04629502700789a13caf68f4995">the first one</a> that was deployed. I don’t know if this was an intentional decoy, or a last minute version change, but it was later replaced by the one we now know to be real.</p><p>This is the point when the next “do not mint” warning came out on twitter.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/423cd4b37ee7f9ff2bccabcb7106172893a7011feb6cc3f3bdd2fe69ac7a1b43.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Nevertheless I decided I’d try to set up a script to attempt to mint before the UI worked - I went back to the site and refreshed it to double check if anything had changed, then looked at the source again. It source was now minified, which meant it was really hard to read, and harder to find things, but not impossible. I was looking for the “ABI” - in layman’s terms, this is a chunk of information that tells the code in the browser how to interact with the smart contract, including things like the names of functions and the parameters they need to be called with.</p><p>This turned out to just be a case of “CTRL + F” for “ABI”, then a bit of extra searching around following the crumbs from the module bundler (in other words ,a few more CTRL + F searches).</p><p>Once I had the ABI, I was in very familiar territory. I’ve written a LOT of programs to interact with ethereum so I opened one that already existed and changed the contract addresses and ABIs to call the address I’d found. It probably took about 5 minutes in total but could have been much quicker if I was more prepared.</p><p>I checked everything was working by calling one of the methods I could see in the ABI called <code>WALLETLIMIT</code> which correctly returned a number. None of the methods were called “Mint” or anything like that, but when I looked down the list it was pretty obvious what most did, except <code>AwooOOooooOoo</code>. That one had to be mint, because it accepted one argument: <code>quantity</code>. The mint price (0.13 ETH) was right in front of me on the website so I set that in my transaction. Everything was ready.</p><p>Just before I ran the script, I checked back in the deployer account to see if he was doing anything. <strong>He’d deployed a new contract</strong>… I refreshed the site and saw a the holding graphic again, so I reactivated the auto-refresh. I decided to try my script on the new contract - if it was different, the <code>AwooOOooooOoo</code> method wouldn’t exist and the script would error. Nothing to lose. I changed the contract address and ran the script.</p><p>Nothing seemed to happen… It didn’t work…</p><p>About 30 seconds later the site was live again - I rushed over and minted using the UI… it went through! I got a howler completely manually! Awesome! Then I checked my etherscan to see how much gas I paid - there were two transactions! The first one was successful too - I just hadn’t set the script up to log the success. I paid ~$20 in gas for the first transaction, and &gt;$300 in gas for the manual one. I only wanted one, so I sent the other to a friend who didn’t make the mint.</p><p>For those who are interested, here’s the few lines of code that I wrote to get the howler (obviously there’s some init logic but that was already written, I just needed to change RPC and wallet private key):</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/66885cd093481d1a38ce08aecaf49adcd9a1399ea4fec23e7763fd8278819c10.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><h3 id="h-but-this-was-still-an-inside-job-you-minted-one-there-was-someone-who-minted-1000" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">“But this was still an inside job - you minted one, there was someone who minted 1,000?”</h3><p>I can tell you with confidence that if I was an NFT launch regular, and if I wanted to mint hundreds of these things, I could easily have a generic program set up and ready that would fire off the same transaction from multiple wallets. All you really need is the ABI and the contract address and quick fingers.</p><p>My theory is that the website went live early and was published in the wrong state - unformatted alert window is often used for really quick debugging, and the code wasn’t minified, indicating a development build. The opportunist kilominter was probably ready with a script, and lots of loaded accounts, watching the website in the hope there was going to be a timestamp launch or similar, and he got lucky. It’s very easily feasible. There was about a 12 minute window to get set up.</p><p>I also highly doubt that the artist would want 1,000 NFTs in the hands of one person who’ll just flip them for profit, and I think it was clear from early on that this would sell out almost instantly.</p><p>So I really don’t think this was an inside job, and hopefully you too can see now that it’s easily possible to do something like this with the right knowledge.</p><h3 id="h-so-whats-the-solution" class="text-2xl font-header !mt-6 !mb-4 first:!mt-0 first:!mb-0">So what’s the solution?</h3><p>More creative minting systems. Personally I really like the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://medium.com/@IdolLabs/the-idols-the-offering-announcement-d31bcb96396e">“Last price dutch auction”</a> approach that upcoming project “The Idols” is going to use, although I’m wondering if this’ll just result in all of the NFTs selling at the max price.</p><p>Whatever the approach, the answer is definitely not to berate NFT artists for other people’s actions. Where there’s money and anonymity there will always be shady happenings.</p><p>Peace.</p><p>big bad wolf.</p>]]></content:encoded>
            <author>the-big-bad-wolf@newsletter.paragraph.com (The big bad wolf.)</author>
        </item>
    </channel>
</rss>