BUG: Critical vulnerability allows attacker to take control of any NFT #346
Comments
|
Hey @giansalex, thank you for pointing this out. So, before the attack, was the owner of the NFT a user with the address After the attack, the owner of the NFT became the attacker with the address If I understood correctly, the > iris q nft-transfer escrow-address channel-39 nft-transfer
iaa1ul6gkpnpd5lzllxc42d0fcd0z889tvxxmjlftc |
taramakage
added
bug
|
@taramakage yes, any NFT in the chain can be stolen, even if it is not owned by IBC NFT escrow-address |
|
This has been pointed out in #158. Where ALL token data can be manipulated, since target takes all token data from source and overrides NFT. |
?? Only tokenData can modified as I see in the code (referring to a native NFT on IRIS/Uptick/Omniflix) |
I leave it to others judging on what manipulating or stealing is ;). As noted in my description in #158 I have provided 2 code snippets for:
let rugged_receiver = "stars1g0krhq56pmxmaz8lnj8h6jf55kcsq7x0lw5ywc";
let receiver = deps.api.addr_validate(rugged_receiver)?;
token_data: Some(vec![to_binary("{\"exploit\": \"gotcha\"}")?]),Now as an exploiter, taking ownership, ofc I send it back to my sender wallet including manipulated metadata. |
The receiver is not part of the NFT properties that you can change.
That's what I'm saying, you can only change the
|
|
@taitruong with this demo #705 (comment) , is it clear what the difference is? |
Oh yes and pretty cool. Token data and uri was intial discussion. Please note in token data, there are ALL relevant data: It really includes all data:
As I said: thx for elaborating. With ONE single call you will be able to not ONLY rug one NFT but ALL NFTs on this collection. So we all, art3mix, you and I have been identifying vulnerables and exploits on many use cases: phishing, manipulating, stealing and burning NFTs and reminting NFTs. Great job. Again. We all contributed on this. |
|
I mean a 'list of ALL class ids'and not a 'lost of....' :) |
yes. that is possible, but it does not change the consequence: any NFT stolen |
|
This bug has been fixed in nft-transfer#12 |
Summary of Bug
Chains using
nft-transfermodule are affected.An attacker can create a custom ICS721 implementation on a remote chain, and send packets with a
classIdthat matches the class-trace path of any NFT on the origin chain, because thenft-transfermodule does not verify the owner of the NFT in the destination chain, the attacker can steal any NFT, even if the NFT has never been used in an IBC nft-transfer.Environment
iris@1.4.1-gon-testnetgithub.com/bianjieai/nft-transfer@v1.1.1-betaSteps to Reproduce
e.g
{port}/{channel}/{remote-class-id}, where{remote-class-id}is the NFT class to attack.malicious packet sent:
{ "classId": "wasm.juno14svms48zknd2583kunct22haqf26tsmzd8z0n50zgfj9mkfygdvqxjhjdj/channel-113/bitvalidator01", "classUri": null, "classData": null, "tokenIds": [ "bitnftA4" ], "tokenUris": null, "tokenData": null, "sender": "juno1zxtlyk7l6n3t46yqse84sza7ar39m8ul3gdfye", "receiver": "iaa1zxtlyk7l6n3t46yqse84sza7ar39m8uljcwrp5", "memo": "hack" }Expected and Actual Behavior
Additional Context
the attack has been executed on chains using
nft-transfermoduledemo: JUNO <> IRIS
Tx Transfer: D4AD024E4972D7FED3FB9364953D33525313F089C8780386056D17F16BAE50E4
IBC Recv: 5467BC97AD6CF7A667BF9CF5D3F4519310AA0F341FF2CE3EC59BECC7431626BF
NFT transferred to my IRIS wallet
Custom ICS721 contract
https://blueprints.juno.giansalex.dev/#/contracts/juno14svms48zknd2583kunct22haqf26tsmzd8z0n50zgfj9mkfygdvqxjhjdj
source code: https://github.com/disperze/ics721/tree/gon-attack
The text was updated successfully, but these errors were encountered: