Skip to content

0xngmi/foundation-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

contracts

contracts

 
 

test

test

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

hardhat.config.ts

hardhat.config.ts

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

Exploit

Foundation's NFTCollection contract allows foundation to destroy almost all NFTs minted on their site.

The issue comes from the _selfDestruct() function that NFTCollection contracts have (https://github.com/f8n/fnd-protocol/blob/main/contracts/mixins/collections/SequentialMintCollection.sol#L72), which is callable by owner when totalSupply() is 0.

The problem is that the implementation contract has that function and it's callable by their multisig, which would result in implementation contract self-destroying and all proxies getting bricked, this would lead to all NFTs minted on proxy contracts to be essentially destroyed, since the contracts wouldnt work anymore.

Result: currently theres a 2/6 multisig that can destroy almost all NFTs minted in foundation.

How this would happen:

  1. Multisig https://etherscan.io/address/0x9d9C46aCa6a2c5FF6824A92d521b6381f9f8F1a9 issues a tx upgrading https://etherscan.io/address/0x67Df244584b67E8C51B10aD610aAfFa9a402FdB6#code
  2. Upgraded version of 0x67Df244584b67E8C51B10aD610aAfFa9a402FdB6 then calls selfDestruct() on https://etherscan.io/address/0xf61f4f2c896219a90670e19e188ebb93fcc002e8 or 0xe38f942Db7a1B4213d6213F70c499B59287b01F1
  3. After this, anyone calling any function on NFTContracts, such as transfer(), ownerOf() or tokenUri() will have those functions fail (because the proxy calls implementation contract and that contract has ceased existing), which means that all NFTs disappear

How to fix:

  1. Just issue an NFT on https://etherscan.io/address/0xf61f4f2c896219a90670e19e188ebb93fcc002e8 (and other implementation contracts like 0xe38f942Db7a1B4213d6213F70c499B59287b01F1) and send that NFT to a burn address
  2. Doing this will make totalSupply > 0 permanently, which will make any future calls to selfDestruct() revert

PoC

Run PoC: npx hardhat test test/attack.ts

Timeline

  • 21 Dec 2022: Report exploit to foundation along with how to fix it and details
  • 22 Dec 2022: Report again through different medium
  • 23 Dec 2022: Receive response, get told engineering team is taking a look at the issue
  • 18 Jun 2023: Send reminder to foundation team, offer a PoC of the exploit and notify them that I'll be disclosing it publicly soon since nothing has been done
  • 19 Jun 2023: Send reminder+notification through another medium
  • 19 Jun 2023: Receive reply from foundation team, get told I have to KYC and submit it to their bounty program

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

12 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages