How to verify a signature in a wrong way — the AssociationNFT case

Image: Raymond Clarke/Flickr

The Association NFT is a NBA launched NFT. However, we find the NFT sale contract has a serious vulnerability which allows an attacker to mint a large number NFTs, without paying any Tokens.

The root cause of the vulnerability is the incorrect use of signature verification. Basically, the contract fails to ensure that the signature can only be used by the user (and only the user) once. In this case, the attacker can reuse a privileged user’s signature and mint tokens to him/herself.

We can see that in the verify function, there is no sender's address in the signature. Besides, there is no mechanism to include a nonce to ensure that the signature can only be used once. These security requirements are the basic knowledge in the software security class.

We are surprised that how such a vulnerability can exist in a popular NFT project. The whole community needs to pay more attention to the security of the contract.

About BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem, and collaborates with leading DeFi projects to secure their products. The team is founded by top-notch security researchers and experienced experts from both academia and industry. The core founder of the team has been recognized as the Most Influential Scholar Award (Rank 4 from 2012–2021), in the field of security and privacy. They have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and released detailed analysis reports of high-impact security incidents.

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Rui Maximo, STORM Token’s VP Of Engineering, On Best Practices For Blockchain Security

REFILL PROTOCOL

THE FIRST TRUE BLOCKCHAIN FOR ACADEMIA

AMA Session Recap: Creator x Gate.io

How to Operate in LuckTogether

Nodereal Partners with Certik Skynet to Power On-Chain Security Monitoring and Data Analytics…

️🎉BREAKING NEWS — KDG EXCEEDED $2 MILLION TVL AFTER 24 HOURS 🚀🚀

ChainSafe Awarded Second Ethermint Grant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

Cross-chain bridge vulnerability summary

How Akutar NFT loses 34M USD

ERC721-O: a standard interface and implementation for Omnichain NFT

Chronicles