Another upgrade was made to the NFTX contract this morning (following a successful DAO vote). As most readers are aware, fund creation has been paused for the past couple weeks. Earlier last month, samczsun contacted me about a possible high level exploit which I will attempt to explain.
Basically the NFTX contract works by creating an ERC20 token and linking it with the address of an ERC721 such that the only way to mint the ERC20 is to deposit the ERC721. However, the NFTX contract does not actually create the ERC20 token itself, that is a separate operation which happens right before. What samczsun realized is that it would be possible to create a new fund using an already existing ERC20 fund token. For example, someone could make a new “fund” with the existing GLYPH token and an arbitrary NFT contract (like GodsUnchained). After the new fund is created, that GLYPH token would then be connected to two different NFTs at once (both Autoglyphs and GodsUnchained), which would allow the attacker to mint GLYPH by depositing GodsUnchained cards (that are less scarce and less expensive). Then the attacker could use their new GLYPH tokens to redeem the more expensive autoglyph NFTs.
The patch for the contract is to delegate ERC20 token creation to the createVault method, so that a new erc20 token is always deployed for each new fund. We have also implemented this in such a way that should save on gas during fund creation. Big thanks to Owen (and also Vasa) for helping.
We have not paid samczsun back yet for bringing this to our attention. I believe a reward of at least $50,000 should be given to him, from the treasury—if everyone is okay with that. I am also open to other figures of course.
After this particular bug bounty to samczsun is paid out we can consider a general system for bug bounties in the future.
- Yes, withdraw $50k of ETH from treasury
- No, let’s consider an alternative