There is a new class of people all trying to arb the NFTStrategy contracts. As the self proclaimed guardian of these contracts, I peak at how each participant operates.
Most deploy unaudited contracts to use, typically along with EIP7702 delegations.
1/🧵
2/ I can't stress enough that before delegating your whole account to a contract you spun up with the help of ChatGPT... actually, just don't delegate your whole account to a contract you spun up with the help of ChatGPT.
3/ Some folks are using empty EOAs to run the arb. That's generally fine, as a contract exploit risks at most what you have in your account. However, you still put yourself at risk if you ever use the account for something else in the future.
4/ For instance, if 0xB4 ever acquires a Bored Ape without first revoking the approval I forced on his account, the ape is as good as mine.
I'd never take it of course, this was just an onchain warning.
5/ Similarly, to OS user "deadcells":
I have your EPG #35 and Howlerz #3924. Delegate to a new contract with some form of access control, especially since your hardcoded miner tip can be used to forcibly drain your ETH.
I'll of course return the NFTs once you're secure.
7/ The problem is threefold:
First, there's no check to ensure that the strategy contract is calling the function.
Second, there's no check to ensure the marketplace call is purchasing an NFT
Third, there's no check to ensure the NFT being transferred is even an NFT
8/ The exploit is simple: the marketplace call becomes literally whatever you want (an NFT transfer, WETH approval, or any arbitrary contract call).
The NFT transfer can be anything really, as long as the contract has a transferFrom function that won't revert.
9/ In the cases above I triggered a zero value transfer on USDC by providing "0" as the expected token ID. "transferFrom(them, me, 0)" is technically a valid transfer in the eyes of the USDC contract.
10/ So again, a call to everybody: get your contracts audited, no matter how simple you may think they are. This space is dangerous, and you should assume everybody is out to get you (they are).
50.68K
297
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.