Normie, a memecoin built on the Ethereum layer 2 network Base, shed $40 million off its market cap after an exploit increased its token supply.

According to analysis from pseudonymous crypto trader and developer “@ProfoundWatcher” on X, the exploiter took advantage of a flaw in the Normie smart contract, which allowed them to mint extra tokens.

The developer found that the piece of code that allows this to happen has no reason to be included in the contract. The exploiter was able to buy 5 million tokens, give themselves the required permissions and then use a flash loan to fill up the contract account endlessly until they could drain it.

When one user asked whether this pointed to the exploit potentially being an inside job, Profound Watcher noted that it was “almost certain it’s someone involved with the team or whoever wrote the contract” unless it was a fork of some other project.

At the time of writing, Normie’s official X account had been suspended, but the project’s website was still up and running.

Centralized crypto exchange L Bank also noted that it had encountered an unusual number of NORMIE tokens that were possibly linked to the exploit.

Messages encoded in blockchain transactions show that the Normie exploiter address reached out to the project’s deployer wallet address offering to return 90% of the exploited funds on the condition that the team uses 600 ETH in the developer wallet to fairly launch a new token to reimburse holders.

“Exploiter, we accept your offer to return 90% of the exploited ETH. You may keep 10%, no reprisals. All ETH from the normie dev wallet will be used to rectify this situation and assist our releaunch,” said the Normie team on X before its account was suspended. 

Normie was launched in March and reached a peak market cap of $130 million on April 2, according to data from Coingecko. On its website, the token targets “normies” with a tagline “no taxes, no rugpulling, no bullsh–.”