Blockchain security firm name BlockSec, said on this Thursday the collection has a very serious vulnerability. It allows attackers to mint NBA NFTs without paying any tokens for them.
The Association is a new Ethereum-based NFT collection based on this year’s NBA playoffs, which began minting on yesterday. The tokens feature popular players from sixteen basketball teams, and will change in appearance depending on each player’s performance in the game.
The NBA tweeted that it had paused minting the NFTs immediately, marked issues with the whitelist, which caused the collection to sell out prematurely:
We recognize the issues with the smart contract which caused the Allow List supply to sell out prematurely. We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result.
— NBAxNFT (@NBAxNFT) April 20, 2022
Blocksec, the cyber security firm said that the NFT contract fails to verify that signatures can be used just once, by one user – read all details here. Due to the oversight, hackers are able to reuse the signature belonging to an actual user and mint tokens for their own purposes.
This explain very well why the NBA whitelist had sold out so quick, as hackers exploited the signature vulnerability.
The Blocksec said the contract itself did not include any safety mechanisms to ensure a single authorized signature could be used only one. They also said that proof process in security area is a
“basic knowledge.”
The collection itself is a blind mint, meaning that no one will know which player they will mint until a reveal on Friday. 18k tokens were available, and almost 16k appear to be minted.
Tomislav Jakupec képe a Pixabay -en.
Don’t worry, we hate spam too
one weekly digest, just the important stuff.