7 month 1 Japan ,Optimism Ecological maximum NFT trading platform Quixotic There are loopholes in smart contracts , Hackers use this vulnerability to steal a large number of users' assets

In the near future NFT Liquidity market security problems occur frequently .SharkTeam The technical analysis of this event was carried out for the first time , And summarizes the means of safety precautions , I hope that the follow-up projects can take warning , Build a security defense line for the blockchain industry .

One 、 Event analysis

The attacker's address ：0x0a0805082ea0fc8bfdcc6218a986efda6704efe5, Short for 0x0a08

Attack contract address ：0xbe81eabdbd437cba43e4c1c330c63022772c2520, Short for 0xbe81

The attacked contract address ：0x065e8a87b8f11aed6facf9447abe5e8c5d7502b6, Short for 0x065e

After the attacker creates the attack contract , A large number of attack transactions have been launched through attack contracts , Attacked many users , Stolen assets with WETH and Optimism (OP) Mainly . Take the first attack transaction as an example , The analysis is as follows ：

txHash: 0xfdee36012cbeb26d37a857a4bb1937ce0b30379a25198735089c75cfd3ea799a

In this transaction , The attacker stole 0.0975 WETH, The functions and parameters called are as follows ：

The transaction is addressed by the attacker 0x0a08 launch , Invoked the attacked contract 0x065e Medium fillSellOrder function , The parameter contractAddress Actual attack contract address 0xbe81.

fillSellOrder Function as follows ：

validateSellerSignature Function as follows ：

here _validateSellerSignature There are no verification parameters sellOrder Medium contractAddress, Therefore, the attacker passed in a custom contract address , Attack the contract address

_fillSellOrder Function as follows ：

It's moving here NFT when , The parameter... Was called contractAddress Corresponding NFT Transfer function in contract , The user must be authorized before calling this function , Attackers can completely customize this function to extract all tokens authorized by the user to their own account , Include ERC721、ERC1155、ERC20 Etc . Here the attacker can only extract the token authorized by the user .

in summary , The root cause of this security incident lies in the loopholes in the contract itself , The over authorization of users gives hackers an opportunity .

Two 、 Safety suggestion

The root cause of this security incident is the lack of verification of address type parameters in the contract and the over authorization of users . therefore , We suggest that both the project party and users should improve their safety awareness , Try to avoid contract loopholes . Be careful when authorizing tokens , Try to minimize the type and number of authorized tokens .

3、 ... and 、 About us

SharkTeam Our vision is to fully protect Web3 The security of the world . The team members are located in Beijing 、 nanjing 、 Suzhou 、 Silicon valley , It is composed of experienced security professionals and senior researchers from all over the world , Proficient in the underlying theory of blockchain and smart contract , Provide services including smart contract audit 、 On chain analysis 、 Emergency response and other services . We have worked with key players in various fields of the blockchain ecosystem , Such as Huobi Global、OKC、polygon、Polkadot、imToken、ChainIDE And establish a long-term cooperative relationship .

Web：https://www.sharkteam.org

Telegram：https://t.me/sharkteamorg

Twitter：https://twitter.com/sharkteamorg

Reddit：https://www.reddit.com/r/sharkteamorg

More blockchain security consulting and analysis , Click the link below to view

D Check | Chain risk verification https://m.chainaegis.com