Analysis of NFT Contract Security Issues and Audit Key Points

In the first half of 2022, several major security incidents occurred in the NFT field, resulting in losses of approximately 64.9 million dollars. These incidents mainly involved contract exploits, private key leaks, and phishing attacks. It is worth noting that phishing incidents on the Discord platform occur almost daily, leading to significant losses for many individual users.

Typical Security Incident Analysis

TreasureDAO event

On March 3rd, the TreasureDAO trading platform was attacked, resulting in the theft of over 100 NFTs. The vulnerability originated from a logical error in the TreasureMarketplaceBuyer contract, which allowed attackers to purchase NFTs without payment. This issue was mainly caused by the logical confusion arising from the mixed use of ERC-1155 and ERC-721 tokens.

APE Coin airdrop event

On March 17, attackers exploited a flash loan to acquire over 60,000 APE Coin airdrops. The vulnerability existed in the airdrop contract, which only checked the user's instantaneous ownership of the NFT, a manipulation that could be achieved through a flash loan.

Revest Finance event

On March 27, Revest Finance was attacked, resulting in a loss of approximately $120,000. This is a typical ERC-1155 reentrancy attack, stemming from a logical flaw in the contract when minting new FNFTs.

NBA project attack

On April 21, the NBA project was attacked. The issue was with the signature verification mechanism of the whitelist validation, which had vulnerabilities for signature impersonation and reuse.

Akutar event

On April 23, a smart contract vulnerability in the Akutar project led to approximately $34 million in assets being locked. This was due to a logical flaw in the refund function of the contract, which did not take into account that users might bid on multiple NFTs.

XCarnival event

On June 24, XCarnival was attacked, resulting in a loss of approximately $3.8 million. The vulnerability lay in the staking and lending functions of the XNFT contract, which lacked necessary security checks.

Common Questions About NFT Contract Audits

1. Signature impersonation and reuse:

   • Missing duplicate execution verification
   • Signature check is unreasonable

2. Logical loophole:

   • Improper control of total coin supply
   • The transaction order during the auction process relies on attacks.

3. ERC721 & ERC1155 Reentrancy Attack:

   • The transfer notification feature may lead to reentrancy.

4. The scope of authorization is too broad:

   • Unnecessary global permissions may lead to NFT theft.

5. Price Manipulation:

   • NFT prices depend on external factors and are easily manipulated.

The existence of these security issues highlights the importance of conducting a comprehensive professional audit of NFT contracts. Project teams should prioritize contract security and mitigate potential risks through professional security audits to protect user asset safety.