NBA Player Card NFT Contracts Riddled with Loopholes! Free Minting Possible Without Whitelisting
The NBA launched the dynamic NFT "THE ASSOCIATION" for minting in the early hours of yesterday, granting whitelist eligibility to many early supporters who joined Discord. However, due to a smart contract vulnerability, many users without whitelist access were also able to mint a large number of tokens, resulting in some eligible users losing their privileges.
Table of Contents
THE ASSOCIATION NFT Contract Vulnerability
Let's take a deep dive on the @NBAxNFT contract today including how the exploit worked and what I think of the contract overall:
🧵👇
— cygaar (@cygaar_dev) April 20, 2022
According to Azuki developer cygaar, to exploit the contract vulnerability, one only needs to send this data to the contract address on a wallet that has not been minted. This operation can be done without whitelist qualifications.
After decompiling this data, you will see that it calls the function mint_approved. By carefully examining the parameters in the info, it is evident that this code is mainly used to determine if the transaction is signed by the minting site and if the user is on the whitelist. However, it lacks a crucial part, as it does not check info.from == msg.sender.
This means the same signature can be reused by anyone, as long as there is a valid signature, it can loop infinitely. Although a wallet can only be minted once, creating a new wallet only takes a few seconds.
In addition, cygaar pointed out a bigger oversight. The contract does not verify if the transaction is from a user. By adding a line: require tx.origin == msg.sender, 'Caller not user,' the risk of the contract being abused can be reduced.
After the above vulnerability was discovered, it was exploited by many individuals, resulting in the rapid minting of NFTs, even causing whitelist users to be unable to mint.
"Looking at the organization, the contract seems very hasty. Casual comments, inconsistent capitalization, many unused variables, and no optimization," cygaar stated.
To make smart contracts more secure and robust, cygaar offered several suggestions:
- Properly verify signatures to ensure they come from the message sender
- Put more effort into contracts, rather than just copying and pasting everywhere
- Hire auditors; any qualified auditor can quickly identify these vulnerabilities
Official Apology
We recognize the issues with the smart contract which caused the Allow List supply to sell out prematurely. We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result.
— NBAxNFT (@NBAxNFT) April 20, 2022
Following the incident, NBAxNFT immediately expressed apologies on their Twitter and is currently verifying whitelist wallets that were unable to mint due to the vulnerability. Any issues can be reported on their Discord.
Additional 12,000 player cards issued on 4/22 update
Thank you for your patience as we’ve worked to analyze the issues experienced in yesterday’s The Association NFT mint. We appreciate the engagement and feedback we’ve received from this community as we’ve worked towards a solution.
— NBAxNFT (@NBAxNFT) April 21, 2022
According to the latest official statement, they have identified user wallets with whitelist qualifications that were unable to mint. These users will receive a THE ASSOCIATION NFT as compensation.
However, this NFT series will also increase from the original 18,000 to 30,000, and the number of cards per player will increase from 75 to 125.
Related Information: THE ASSOCIATION NFT Contract Code, THE ASSOCIATION NFT Contract Owner
Related
- Antique RWA! Galaxy Digital tokenizes the iconic Queen Catherine with tens of millions of tokens on the chain
- Binance will discontinue Bitcoin NFT trading and deposit services and will not support Runestone.
- Ethereum NFT trading volume nears annual high, Pudgy Penguins market value ranks third closely behind Bored Apes