DeFi sleuths investigate suspicious blockchain codes

A Fiverr developer creates back doors – It’s news to no one, the cryptocurrency ecosystem is constantly being targeted by hackers and scammers of all kinds. Of course, the development of the ecosystem NFT not left

197 ETH stolen from NFT Thestarlab project

thestarlab is another NFT project, offering 9999 NFTs of 3D planets evolving into a Metaverse.

On Wednesday March 2, Thestarlab teams announced that they had been attack target. Thus, the attacker accessed the team’s wallets. Eventually he did drain 197 ETH which is stored there.

Amount stolen from Thestarlab protocol.

So, this is not a rug pull on the part of the team, as it is the funds raised during the mint phase of the NFTs that were stolen by the attacker.

One point remains puzzling. In fact, only the address considered the owner of the contract can withdraw funds. However, in this case, the owner address is changed to point to a zero address, i.e. 0x0000000000000000000000000000000000.

“This feature essentially relinquishes ownership of the contract. So, the owner of the Mint contract becomes the zero address: 0x000000000000000000000000000000000000. No one on our team, or anywhere else in the world for that matter, has access to null this address. »

explained the team.

At this point, it’s hard to understand how it all happened. This is obviously not counting the Twitter detectives.

>> No need to go around in circles to earn interest on your USDC at Kucoin (affiliate link). <

A Fiverr developer who created back doors

A few days after the fact, Zachxbt has published the results of its investigation into this hack and its findings are quite surprising.

First post in the thread posted by Zachxbt
First post in the thread posted by Zachxbt – Source: Twitter.

So, after a complete code review, it realized one thing: the person who deployed the smart contract specified two addresses as the owner of the contract. Unfortunately, when Thestarlab teams took back the address owner towards a null address, the latter only does so for an address.

Therefore, the contract still considers the address of deploy as the owner of the contract.

“A smart contract can never be waived or transferred. It is only possible to add an additional owner here. The deploy the original will always be considered the owner. »

he explained in his Twitter thread.

But then, who is this famous deploy original ? This is actually the developer of the smart contract, which is none other than a developer hired on the Fiverr freelance platform. So, during development, he carefully ensured that his address remained the owner of the contract. Therefore, he makes sure that the funds are recovered, in case the team working with him cannot double-check the code, which of course has happened.

32 projects at risk

Unfortunately, Zachxbt’s findings don’t stop there. In fact, after analyzing the blockchain, it determined at least 32 projects using the same contract and being vulnerable to the same flaw.

“I checked the channel and it appears that at least 32 projects have contracted with the same Fiverr developer to work for the projects that deployed all the contracts. »

Unsurprisingly, most of the weak projects that responded to Zachxbt’s posts admitted to never reviewing developer-issued contracts code.

For its part, Thestarlab project has started a transition to a new addressless smart contract by developer Fiverr.

Attacks obviously target all kinds of protocols. In fact, the NFT Treasure sales platform, hosted on Arbitrum, was recently the target of an attack that allowed a malicious user to steal some NFTs without paying a cent.

Little or big hunger? You will inevitably find your favorite cryptocurrencies on Kucoin. In more than 500 assets à la carte, the platform will make all gourmets happy! What are you waiting for to register? (affiliate link)

Leave a Reply

Your email address will not be published. Required fields are marked *