The Association NFT is a NBA launched NFT. However, we find the NFT sale contract has a serious vulnerability which allows an attacker to mint a large number NFTs, without paying any Tokens.
The root cause of the vulnerability is the incorrect use of signature verification. Basically, the contract fails to ensure that the signature can only be used by the user (and only the user) once. In this case, the attacker can reuse a privileged user’s signature and mint tokens to him/herself.
We can see that in the verify
function, there is no sender's address in the signature. Besides, there is no mechanism to include a nonce to ensure that the signature can only be used once. These security requirements are the basic knowledge in the software security class.
We are surprised that how such a vulnerability can exist in a popular NFT project. The whole community needs to pay more attention to the security of the contract.
About BlockSec
BlockSec is a pioneering blockchain security company established in 2021 by a group of globally distinguished security experts. The company is committed to enhancing security and usability for the emerging Web3 world in order to facilitate its mass adoption. To this end, BlockSec provides smart contract and EVM chain security auditing services, the Phalcon platform for security development and blocking threats proactively, the MetaSleuth platform for fund tracking and investigation, and MetaSuites extension for web3 builders surfing efficiently in the crypto world.
To date, the company has served over 300 esteemed clients such as MetaMask, Uniswap Foundation, Compound, Forta, and PancakeSwap, and received tens of millions of US dollars in two rounds of financing from preeminent investors, including Matrix Partners, Vitalbridge Capital, and Fenbushi Capital.
Official website: https://blocksec.com/
Official Twitter account: https://twitter.com/BlockSecTeam