CertiK first launch: Web2.0 old troubles go to Premint NFT theft incident analysis

Wty9wS4ksSDRF8JnPyqPkTcRx2tT8Sjt69QVaPtq.png

On July 17, 2022, Beijing time, the CertiK security team detected that the official website of the well-known NFT platform Premint NFT was hacked today after being hacked . This resulted in a loss of approximately $375,000.

Vulnerability Analysis

The hacker uploaded the malicious JavaScript code to the project official website https://premint.xyz, and the malicious code was injected into the website through the URL: https://s3-redwood-labs-premint-xyz[.]com/cdn.min.js?v= 1658046560357, currently the nameservers no longer exist, so the malicious file is no longer available.

j4lQw8UGI7zzEEnDBCATE1ZEwQiRGyTT5SbJRoy4.png

jOTWj2W4SFeLa5JQ0Zf7zdY2pBvWFSHUHtW7GDlo.png

The attack resulted in users being instructed to “set approvals for all” when connecting their wallets to the website, allowing attackers to access the wallet’s assets.

On-chain analysis

There are six Externally Owned Accounts (EOAs) directly related to this attack

  • 0x28733…
  • 0x0C979…
  • 0x4eD07…
  • 0x4499b…
  • 0x99AeB…
  • 0xAAb00 …

According to CertiK’s assessment, the attack started at 03:25 pm Beijing time on July 17th, which is when the first batch of stolen NFTs entered the two hacker accounts – the malicious code may have been uploaded to the project at this time official website.

BIe5WshNtro8kx6iNcpxySclinvgr3yxpkrAjGd6.png

One user claims 2 Goblintown NFTs were stolen

Search for these two NFTs on OpenSea to see how they are traded. Similarly, the wallet that steals NFTs can also be found by searching – EOA 0x0C979…

xQQslxVfB19EHPR5T0oV0BpZ4y0pGe844GePWtB4.png

By monitoring the flow of NFTs, we found that the wallet perfectly fits the typical pattern of Discord phishing attacks: a large inflow of assets followed by a rapid sell-off . The wallet’s first incoming transaction was from 0xAAb00F… which also funded 0x28733….

Repeating the above detection, it can be confirmed that 0x28733… also participated in the hacking attack.

lq0H8XfT425sVIvzOjIvpPcf6AgP9JHrGxUZTuoL.png

A victim posts that their Moonbirds Oddities have been stolen

Searching for the username on Etherscan shows that Moonbird NFT was traded to EOA 0x28733…

PVZITr3kxhcB3KwMNsnSwRuv1ZIxR19uXiINI4tO.png

The flow pattern of this address is the same as EOA 0x0C979… – a large inflow of assets followed by a quick sell-off.

A total of 314 NFTs (worth about $375,000), including BAYC, Otherside, and Globlintownm, were stolen from these two wallet addresses.

In response to the attack, Premint’s Twitter account posted a warning not to sign “set approvals for all” transactions, and instructed users who suspect they had been hacked how to contact revoke.cash to get their money back assets.

t0FkcZQUPD2b7DG77J3A4mpKhOAHolpoa99VuI91.png

Fortunately, two of these external accounts appear to have been discovered. Victims are contacting revoke.cash to get their funds back.

Where to go

272 ETH (worth ~$370,000) currently stored at: https://etherscan.io/address/0x99aeb028e43f102c5776f6b652952be540826bf4.

The remaining 2.68 ETH (worth about $3636) is stored at: https://etherscan.io/address/0xaab00f612d7ded169e51cf0142d48ff560f281f3 

Some of the hacked transactions in this attack are still pending.

write at the end

The Bored Ape Yacht Club NFT (BAYC) phishing attack (loss of approximately $319,000) and the hack of the Twitter account of NFT artist Beeple (which resulted in the loss of approximately $438,000 worth of NFTs and cryptocurrency to his fans) are well documented The vulnerability of Web 2.0 to the centralization problem.

To avoid this from happening, Web 3.0 projects should always build decentralization around the risks of centralization and single points of failure – multi-signature, requiring multiple users to authenticate when accessing privileged accounts, and creating a Then revoke the privilege.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/certik-first-launch-web2-0-old-troubles-go-to-premint-nft-theft-incident-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-07-18 10:53
Next 2022-07-18 10:54

Related articles