NFT Contract Security: Review of Events in the First Half of 2022 and Analysis of Common Audit Issues

In the first half of 2022, security incidents in the NFT field occurred frequently, resulting in significant economic losses. According to monitoring from data platforms, a total of 10 major security incidents occurred, with losses amounting to approximately $64.9 million. The attack methods mainly included exploiting contract vulnerabilities, private key leaks, and phishing, among others. Meanwhile, Discord phishing incidents occurred almost daily, with individual users frequently suffering losses.

Review of Typical Security Incidents

TreasureDAO event

On March 3, 2022, the TreasureDAO trading platform was hacked, and over 100 NFTs were stolen. The vulnerability originated from the chaotic logic in the buyItem function of the TreasureMarketplaceBuyer contract, which calculated prices without checking the token type, allowing NFTs to be purchased with 0 ERC-20 tokens. This reflects the potential logical issues that may arise when mixing ERC-1155 and ERC-721 tokens.

APE Coin airdrop event

On March 17, 2022, hackers obtained over 60,000 APE Coins through flash loans. The AirdropGrapesToken airdrop contract determines NFT ownership solely through balanceOf(), and this method is susceptible to manipulation by flash loans.

Revest Finance incident

On March 27, 2022, Revest Finance was attacked, resulting in a loss of $120,000. The vulnerability stemmed from an ERC-1155 reentrancy attack, as the contract did not check for the existence of a new FNFT during minting, and the state variable was incremented after _mint(), causing a reentrancy vulnerability.

NBA sheep shearing incident

On April 21, 2022, the NBA project was attacked. The_Association_Sales contract had issues with signature spoofing and reuse during the verification of the whitelist, did not store used signatures, and did not validate msg.sender during parameter passing.

Akutar event

On April 23, 2022, a vulnerability in the AkuAuction contract of the Akutar project resulted in 11,500 ETH being locked. There were two main logical issues: the refund function could be maliciously interrupted; and the situation of users bidding multiple times was not considered, leading to the inability to execute refunds.

XCarnival event

On June 24, 2022, XCarnival was attacked and lost 3087 ETH. The XNFT contract did not check the xToken address when staking NFTs, and did not verify the collateral record status when borrowing, allowing attackers to repeatedly use invalid collateral for borrowing.

Common Questions About NFT Contract Audits

1. Signature forgery and reuse: lack of duplicate execution verification; signature check is unreasonable.

2. Logical Flaw: Administrators can bypass the total supply limit to mint coins; there is a transaction order dependency attack during auctions.

3. ERC721/ERC1155 Reentrancy Attack: Using the transfer notification feature may lead to reentrancy.

4. Excessive scope of authorization: requiring global authorization instead of individual token authorization increases the risk of NFT theft.

5. Price Manipulation: NFT prices depend on the token holdings of a certain contract and can be manipulated by flash loans.

Overall, the frequent occurrence of security incidents in NFT contracts reflects the importance of professional security audits. Project teams should prioritize contract security and seek professional audits to prevent potential risks.