How to verify a signature in a wrong way — the AssociationNFT case

The Association NFT is a NBA launched NFT. However, we find the NFT sale contract has a serious vulnerability which allows an attacker to mint a large number NFTs, without paying any Tokens.

The root cause of the vulnerability is the incorrect use of signature verification. Basically, the contract fails to ensure that the signature can only be used by the user (and only the user) once. In this case, the attacker can reuse a privileged user’s signature and mint tokens to him/herself.

We can see that in the verify function, there is no sender's address in the signature. Besides, there is no mechanism to include a nonce to ensure that the signature can only be used once. These security requirements are the basic knowledge in the software security class.

We are surprised that how such a vulnerability can exist in a popular NFT project. The whole community needs to pay more attention to the security of the contract.

About BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem, and collaborates with leading DeFi projects to secure their products. The team is founded by top-notch security researchers and experienced experts from both academia and industry. The core founder of the team has been recognized as the Most Influential Scholar Award (Rank 4 from 2012–2021), in the field of security and privacy. They have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and released detailed analysis reports of high-impact security incidents.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.