In December 2023, NFT Trader was the victim of a hack. The attacker exploited vulnerabilities in the project’s smart contracts to steal high-value NFTs worth an estimated $3 million.
Inside the Attack
The NFT Trader attackers took advantage of the fact that several of the project’s old smart contracts contained reentrancy vulnerabilities. A reentrancy vulnerability is a security flaw in how a smart contract tracks its internal state when calling other, untrusted smart contracts.
For example, when implementing a withdrawal function, the smart contract may validate that a withdrawal request is valid, transfer the assets to the caller, and then update its records to reflect that the withdrawal was performed successfully.
This control flow is problematic because, when receiving a transfer, a smart contract has the opportunity to run some code of its own. A malicious smart contract can exploit this fact to re-enter the vulnerable withdrawal function before it has updated its internal state. This would allow the attacker to perform multiple withdrawals of the same assets.
The NFT Trader attackers exploited similar vulnerabilities in two of the project’s old smart contracts. For users who have granted certain permissions to the vulnerable contracts, the attackers could exploit the vulnerabilities and steal their NFTs.
The reentrancy vulnerability was exploited by multiple attackers. One claiming to be copying an exploit developed by someone else held the stolen Bored Apes and Mutant Apes for ransom. After demanding a ransom, they did return some of the stolen NFTs to their original owners.
Lessons Learned from the Attack
The NFT Trader hack was made possible by a simple reentrancy vulnerability. This is one of the most common and famous vulnerabilities in the Ethereum ecosystem. It would likely have been identified and remediated as part of a smart contract security audit and may have even been detectable using automated tools. Without such an audit, the smart contract was vulnerable to exploitation, resulting in substantial losses to its users.
The NFT Trader hack also demonstrates the importance of including older and deprecated smart contracts in security testing. In this case, the vulnerable smart contracts were older ones, indicating that the project may have identified or avoided these vulnerabilities in more recent contracts but failed to scan and patch older ones for security flaws.
A security testing program is essential to the success of any smart contract holding value on the blockchain, especially if it is responsible for millions in irreplaceable assets.
For more information on securing and testing your smart contracts, get in touch with Halborn.