Are NFT tools safe? What we can learn from the Premint hack?

Don't ever let your guard down in the world of Web3.

On July 17, Beosin EagleEye showed that the NFT platform PREMINT was hacked and the hackers profited from 314 NFTs worth $370,000. Beosin security team analyzed the incident.

Introduction of PREMINT

PREMINT is currently one of the most frequently used NFT services by many project parties and individuals, in simple terms, we can understand PREMINT as a whitelist lottery tool.

For the user, he can follow the project's Twitter, enter the official Discord, fill in the address and other steps to participate in the sweepstakes through PREMINT in one go.

From the perspective of the NFT project, the project does not need to develop the lottery system alone, PREMINT can help the project collect addresses, verify the capital, open the lottery, attract traffic and other steps, saving time and technical costs.

As a result, this attack led to many people being victimized. After the attack, the project also tweeted to remind users not to sign any transactions that say set approvals for all.

#Event-related Information

•Attacker-related addresses

1. 0x28733543ec21DFD4Dac3FA2d7AD74d6c6d2Bb49d

2. 0x0C9797805a22E507Bf48F35C72A67f001b7418d0

3. 0x4eD07767e70199F2423dC67FDE6802C1E7D06cA1

4. 0x4499bac5B15321b6fcD6Faf781Be8ae96EAAFeEf

5. 0x99AeB028E43F102C5776F6B652952BE540826bf4

6. 0xAAb00F612D7dED169E51cf0142D48FF560f281f3

#Attack Process

1. The attacker injects the code on the project's official website https://premint.xyz and load https://s3-redwood-labs.premint.xyz/theme/js/boomerang.min.js document on the attacker's server.

2. Since the hacker's server is currently inaccessible, the js file is not directly accessible. However, its backup can still be found at web.archive.org, as follows:

As shown above, the content of red box 1 is the call method, corresponding to the function selector of the setApprovalForAll(address,bool) method, as shown below. The content of red box 2 is the regular operation of the phishing website to detect whether the balance of the user's wallet exists or not.

This method is one of the common methods used by phishing sites, through which phishing sites can obtain ownership of all NFTs in the user's wallet.

3. Once the user visits the site and connects to the wallet, the attacker induces him to approve the setApprovalForAll transaction, allowing the attacker to gain ownership of all NFTs in the user's wallet and list them for sale on the OpenSea exchange, as shown in the figure below.

The following figure shows the transaction record of the stolen NFT on OpenSea, according to which the attacker's address can be located: 0x0C9797805a22E507Bf48F35C72A67f001b7418d0.

Then searching for related transactions based on that address, we found the remaining 5 related addresses.

4. Finally, the attackers transferred the stolen assets to Tornado.Cash.

#Fund Tracing

The attacker profited from approximately 314 NFTs worth $370,000. Beosin Trace monitored that the attackers have transferred the stolen funds to Tornado.cash, and the Beosin security team will continue to analyze and track the funds entering Tornado.cash.

#Summary

In response to this incident, the Beosin security team recommends that:

1. If a wallet is found to be stolen, users should promptly go to revoke.cash to revoke approval.

2. Users need to avoid over-authorization to ensure the safety of their property.

Beosin is a Web3 security company headquartered in Singapore, with 100+ team members and 85% of technical staff. It has over 40 engineers, security researchers, and analysts with Ph.D. and postdoc degrees. Beosin offers a comprehensive suite of security products and services covering smart contract and blockchain security auditing, blockchain transaction monitoring and risk alert, cryptocurrency tracing, and KYT and AML. It has audited over 2,000 smart contracts and over 100 blockchain platforms globally. Its Tracing service has helped investors recover hundreds of millions of stolen cryptos, including those laundered through Tornado Cash.