SolidityScan
HACK ANALYSIS 2 min read

$LAND Hack Analysis — Missing Access Control

$LAND Hack Analysis — Missing Access Control

Overview:

On May 14, 2023, $LAND suffered a hack due to a Missing Access Control vulnerability that resulted in a total loss of 149,616 $BUSD.

Smart Contract Hack Overview:

Attackers address: 0x96b89c
Vulnerable contract: 0x1a62fe
Attacker Transactions: 0xe4db15

Fig: Attacker’s transaction

Decoding the Smart Contract Vulnerability:

  • The $land project allowed multiple miner addresses to mint NFTs, and one of these addresses was identified as 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7.
Fig: Exploited mint function
  • The attacker took advantage of the vulnerability and interacted with the 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract to mint 200 NFTs.
  • Further, the attacker proceeded to call the function 0x2c672a34 of the contract with the address 0xeab03ad7ea0ac5afb272b592bef88cf93ed190c5. By utilizing this function, the attacker exchanged their accumulated NFTs for a substantial amount of $XQJ tokens. Each NFT was exchanged at a rate of 200 $XQJ.
  • The exploiter then engaged in a swap where he traded 28,601 $XQJ for a considerable sum of 149,616 $BUSD
  • The attacker continued to mint additional NFTs until the issuance limit for NFTs was reached.

Mitigation and Best Practices:

  • Introduce an access control mechanism that restricts the ability to mint NFTs only to authorized addresses or roles within the project. This ensures that only trusted entities can initiate the minting process.
  • It is encouraged to utilize libraries from OpenZeppelin to ensure the usage of the “onlyOwner” modifier.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan, which includes the detections of Access Control vulnerabilities
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Snooker Token Hack Analysis
Sell Token Hack Analysis