FBI warns users of NFT theft by malicious developers

By Waqas Cybercriminals are posing as legitimate NFT developers and employing sophisticated tactics to deceive unsuspecting victims. This is a post from HackRead.com Read the original post: FBI warns users of NFT theft by malicious developers...

newLien.lender can steal NFT that should belong to oldLien.lender after refinancing

Lines of code Vulnerability details Impact After calling the following ParticleExchange.refinanceLoan function, collection are the same and tokenId become newLien.tokenId for both the old and new liens. function refinanceLoan Lien calldata oldLien, uint256 oldLienId, Lien calldata newLien, uint25...

Attacker can frontrun a victim's mint+add transaction to steal NFT

Lines of code Vulnerability details Impact High - an attacker can steal deposited NFTs from victims using the mint + add functionality in CidNFT.sol Proof of Concept One of the core features of CID Protocol is the ability for users to attach Subprotocol NFTs to their CidNFT. The CidNFT contract...

An operator can steal an NFT after its listed

Lines of code Vulnerability details Impact The ArbitraryCallsProposal contract prevents calls to setApprovalForAll on NFTs the Party owns. If an NFT is listed, calls to setApprovalForAll via the ArbitraryCallsProposal contract will succeed because the Party isn’t in possession of the NFT. Anyone...

A majority attack can steal precious NFT from the party by crafting and chaining two proposals

Lines of code Vulnerability details Description The PartyGovernance system has many defenses in place to protect against a majority holder stealing the NFT. Majority cannot exfiltrate the ETH gained from selling precious NFT via any proposal, and it's impossible to sell NFT for any asset except...

A majority attack can easily bypass Zora auction stage in OpenseaProposal and steal the NFT from the party.

Lines of code Vulnerability details Description The PartyGovernance system has many defenses in place to protect against a majority holder stealing the NFT. One of the main protections is that before listing the NFT on Opensea for a proposal-supplied price, it must first try to be auctioned off o...

ArbitraryCallsProposal.sol and ListOnOpenseaProposal.sol safeguards can be bypassed by cancelling in-progress proposal allowing the majority to steal NFT

Lines of code Vulnerability details Note: PartyDAO acknowledges that "canceling an InProgress proposal mid-step can leave the governance party in a vulnerable or undesirable state because there is no cleanup logic run during a cancel" in the "Known Issues / Topics" section of the contest readme. ...

call to harvest() can be manipulated to steal funds from the contract

Lines of code Vulnerability details Impact When calling harvest, attacker can device a cross-contract reentrancy to steal NFT owned by the contract Cally. Proof of Concept 1. While creating a vault, the owner of NFT transfers the NFT to the contract i.e. ownerOfnftID is Cally. 2. Attacker contrac...

DDoS Attempts Hit Russia as Ukraine Conflict Intensifies

Plus: Hacker recruits, NFT thefts, and more of the week’s top security news...

Phishing scam: NFTs Worth $1.7M Stolen from OpenSea Users

By Deeba Ahmed OpenSeas CEO Devin Finzer has denied the claims that a vulnerability in their smart contract was exploited to… This is a post from HackRead.com Read the original post: Phishing scam: NFTs Worth $1.7M Stolen from OpenSea Users...

A week in security (March 15 – 21)

Last week on Malwarebytes Labs, our podcast featured Adam Kujawa, who talked us through our 2021 State of Malware report. We cover our own research on: Royal mail parcel scam How your iPhone can tell you if you’re being stalked Careers in cybersecurity ProxyLogon PoC whack-a-mole Teen behind 2020...