NFT Contract Security: Analysis of Events and Audit Issues in the First Half of 2022

In the first half of 2022, security incidents in the NFT field occurred frequently, resulting in significant losses. According to data platform monitoring, there were a total of 10 major NFT security incidents in the first half of the year, with cumulative losses of approximately 64.9 million USD. The main attack methods included exploiting contract vulnerabilities, private key leaks, and phishing, among others. It is worth noting that phishing attacks on the Discord platform occurred almost daily, leading to substantial losses for many individual users.

Review of Typical Security Incidents

TreasureDAO incident

On March 3rd, the TreasureDAO trading platform was attacked, resulting in the theft of over 100 NFTs. The vulnerability originated from a logical error in the TreasureMarketplaceBuyer contract, which calculated prices without checking the token type, allowing NFTs to be purchased with a minimal amount of tokens. This incident exposed potential issues arising from the mixed use of ERC-1155 and ERC-721 tokens.

APE Coin airdrop event

On March 17, hackers used flash loans to acquire over 60,000 APE Coin airdrops. The problem lies in the AirdropGrapesToken contract, which only determines NFT ownership through immediate status, allowing attackers to manipulate it using flash loans.

Revest Finance incident

On March 27, Revest Finance was attacked, resulting in a loss of $120,000. The vulnerability was due to an ERC-1155 reentrancy attack, where the contract did not adequately check when minting new NFTs, allowing for repeated minting operations.

NBA wool-pulling incident

On April 21, the NBA project was attacked. The issue lies in a vulnerability in the signature verification mechanism, including the reuse and forgery of signatures.

Akutar Incident

On April 23, due to a contract logic error, 11,539 ETH (approximately $34 million) was locked in the AkuAuction contract of Akutar. The main issue was that the refund function was poorly designed and could not handle multiple bidding situations.

XCarnival event

On June 24, XCarnival was attacked, resulting in a loss of 3087 ETH (approximately 3.8 million USD). The vulnerability was due to the XNFT contract not strictly checking the validity of the staked NFTs, allowing the reuse of invalid staking records for lending.

Common Audit Issues in NFT Contracts

1. Signature Security:

   • Missing repeated execution verification, such as user nonce
   • Signature check is not strict, such as not verifying whether the signer is a zero address.

2. Logical Flaw:

   • Special minting methods may bypass total supply limits.
   • There is a risk of transaction order dependence attack during the auction process.

3. ERC721/ERC1155 Reentrancy Attack:

   • The transfer notification feature may be exploited for reentrancy attacks.

4. The scope of authorization is too broad:

   • Requires global authorization instead of individual token authorization, increasing the risk of NFT theft.

5. Price Manipulation:

   • The price of NFTs depends on the state of external contracts and may be manipulated by flash loans.

These issues frequently arise in actual attacks, highlighting the importance of professional security audits. Project teams should prioritize contract security and seek professional audit services to mitigate security risks.