SolidityScan
HACK ANALYSIS 2 min read

CIVNFT Hack Analysis

CIVNFT Hack Analysis

Overview:

On July 8, 2023, CIVNFT suffered an attack on the Ethereum chain, due to an access control issue leading to a loss of ~180K USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The absence of access controls for a specific function, identified by the signature 0x7ca06d68, was the root cause of this issue.
  • This vulnerability allowed malicious actors to manipulate the _uniswapV3MintCallback value and execute the attack contract directly.
  • As a consequence, tokens such as $CIV and $USDC, which had been approved for use in CIVNFT, were stolen and transferred to the attacker.
Fig: Attack flow

Mitigation and Best Practices:

  • Introduce an access control mechanism that restricts the ability to perform certain operations only to authorized addresses or roles within the project. This ensures that only trusted entities can initiate the process.
  • Apply function modifiers to validate the caller’s permissions before executing critical operations. It is encouraged to utilize libraries from OpenZeppelin to ensure the usage of the “onlyOwner” modifier for the functions meant to be called only by the owner of the contract.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Airchains Gets a Security Boost: Powered by SolidityScan
Solidify Your XDC Smart Contracts with SolidityScan!