Art Coin, Snook, Land NFT: Incentive Loops, Permission Slips, and Liquidity Misfires
These five exploits weren’t black swans; they were design oversights waiting to be abused. Art Coin lost $331K by botching presale liquidity. Snook paid out infinite referral rewards to a daisy-chained scam. Land NFTs minted value from mismanaged permissions. Floki and Weeb trusted supply mechanics and got flash-loaned. Together, these attacks show how easily poor state handling and unchecked incentives can be turned into real money , by anyone reading your contract as carefully as your team didn’t.
Hacks Analysis
Land | Amount Lost: $150K
On May 15, the Land NFT exploit on BNB chain resulted in a loss of $150K. The attack occurred due to a lack of mint permission control. The Land NFT protocol allows specific miner addresses, including 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7, to mint NFTs. The attacker had access to the list of miner addresses and exploited this vulnerability by calling miner contracts to mint NFTs. These previously minted NFTs were then utilized to invoke the 0x2c672a34 function of the exploit contract, exchanging them for XQJ tokens. Subsequently, the attacker exchanged $XQJ for approximately $150K $BUSD. The attacker’s last two mint attempts were reverted due to a max supply error.
Press enter or click to view image in full size
Exploit Contract (on BNB Chain): 0x1a62fe088F46561bE92BB5F6e83266289b94C154
On May 10, the Weeb exploit on ETH chain resulted in a loss of $31K. The attacker used flash loans to borrow wrapped ETH from Balancer’s Vault contract. They then swapped it for Weeb tokens through UniswapV2Pair. By burning Weeb tokens through the performupkeep function, the attacker reduced the total liquidity in the Weebcoin contract and raised the price of Weeb tokens. Taking advantage of the increased price, the attacker sold the tokens for profit. Finally, they repaid the flash loan, completing the exploit. The exploit resulted in a loss of $31K for Weeb.
Press enter or click to view image in full size
Transaction Hash (on BSC): 0xcb58fb952914896b35d909136b9f719b71fc8bc60b59853459fc2476d4369c3a
On May 10, the Floki exploit on ETH chain resulted in a loss of $30K. The exploit occurred because the attacker was able to decrease the total supply of $FLOKI coins. The attacker borrowed 20,000 wrapped Ether using flash loans and exchanged them for $FLOKI tokens on Uniswap V2. Next, the attacker called the transfer() in the Floki contract, transferring $FLOKI tokens to the contract itself. Inside the Floki contract, the transfer() called the private _reflectFee() that allowed the attacker to subtract a fee and reduce the total supply. To view the updated total balance after the reduced supply, the reflectionFromToken() was called. By reducing the total supply of FLOKI coins, the attacker was able to increase their value and make a profit.
On May 10, the Snook exploit on BNB chain resulted in a loss of $198K. Snook’s SNKMiner smart contract business has a reward system for referrers whose referrals stake SNK tokens to Snook. The calculation of the referee’s reward is based on the stake of the referral. The attacker took advantage of this by creating multiple referee and referral contracts, establishing parent-child relationships through the bindParent function. By using a child contract, the attacker repeatedly staked SNK tokens, collected rewards from the parent contract, and transferred those rewards to the next child contract. This allowed them to accumulate additional rewards for the referee contract associated with each child contract.
Press enter or click to view image in full size
Transaction Hash (on BSC): 0x7394f2520ff4e913321dd78f67dd84483e396eb7a25cbb02e06fe875fc47013a
On May 9, the Art Coin exploit on ETH chain resulted in a loss of $331K. Art Coin’s liquidity pool on Uniswap V3 was exploited on May 7. A user discovered a flaw in Uniswap’s presale system, allowing them to sell ART tokens for 181 ETH. This user profited by selling tokens that were originally purchased for 0.1 ETH before the presale. The founder of Art Coin stated that there was a miscommunication regarding the setup of the liquidity pool prior to distributing ART tokens.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
