According to a blockchain security firm, the National Basketball Association’s NFT contract has a loophole that allows attackers to mint dynamic NFTs without authorization. Reportedly, a hacker has already minted and sold 100 NFT using this contract vulnerability.
As per blockchain security firm, BlockSec, the NBA contract has a vulnerability that allows non-whitelisted or unauthorized users to mint NFTs by copying the signatures of authorized users.
“The root cause of the vulnerability is the incorrect use of signature verification”. Basically, the contract fails to ensure that the signature can only be used by the user (and only the user) once. In this case, the attacker can reuse a privileged user’s signature and mint tokens to him/herself.” added BlockSec in a separate post.
Using these loopholes, an attacker was able to scurry away with 100 minted NFT without paying a single token. Blockchain activity tracker Etherscan showed that on average, each NFT was sold for around $1,200 worth of Ethereum on NFT marketplaces OpenSea and LooksRare. Based on the average sale price in the token contract, the attacker stole around $123K worth of digital assets from the NBA’s NFT collection.
Just a day ago, the NBA released a new collection of ‘dynamic NFTs’ for the 2022 playoffs called ‘The Association’. The NFTs utilize oracle operator Chainlink’s data feeds to dynamically alter their appearance as and when a player’s statistics change.
Hacks On The Rise?
Unfortunately, hackers have ramped up the pace of network attacks in 2022. Attacks on the Ronin Network, Wormhole, and DeFi protocol Qubit have wiped out massive funds from the crypto market. Reportedly, over $1.23 Billion has been lost in crypto thefts in the first quarter of 2022. The figure was up by nearly 700% when compared to Q1 of 2021.
With blockchain security still at an early stage and unable to fully cope with the advancements in blockchain technology, hackers get an avenue to comprise a project’s network with minimal consequences. Although the stolen funds can be tracked on certain websites, the lack of a proper regulatory framework makes it difficult to retrieve the bulk of the stolen funds.