TL;DR#
On February 24, 2023, NFT Cloud was exploited, resulting in the loss of 265 BNB, worth approximately $81,000.
Introduction to NFT Cloud#
NFT Cloud is a platform that provides a collection of tools and services to Web3 entrepreneurs, creators, and enthusiasts.
Vulnerability Assessment#
The root cause of the exploit is that the staking contract didn't check the staking status of CloudNFT correctly.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The platform works in such a way that users can deposit $CloudNFT and claim $Cloud tokens as rewards.
Step 3:
According to the terms of their contract, one $CloudNFT can only be deposited once in order to claim the reward.
Step 4:
However, the staking contract didn't check the staking status of the first deposited token.
Step 5:
Arrays' indexing starts from zero. But in the require statements of the deposit function, the indexing was set to start from 1, effectively bypassing the first token.
Therefore, validations for NFT ownership and lockUntil checks are bypassed when only one token is deposited.
Step 6:
The attacker deposited only one $CloudNFT to bypass this validation and repeated this process multiple times to claim higher rewards.
Step 7:
The exploiter swapped all of the stolen $Cloud tokens for BSC-USD and later funneled them into Tornado Cash.
Aftermath#
Following the attack, the price of their $Cloud token dropped by more than 75%. The staking contract was deployed just 24 hours before the exploit occurred. It is also possible that this was an insider job, with the perpetrator carefully planning the exploit.
The team neither shared the details of the incident nor mentioned any information regarding the possible recovery of funds for the affected users. However, they have stated that the problem has been fixed.
Solution#
The recent exploit of NFT Cloud sheds light on a pressing concern: the ever-increasing complexities and vulnerabilities in the rapidly burgeoning NFT space. When you dissect the exploit, it becomes evident that it was not just a failure in code but possibly a reflection of inadequate review and verification processes. The fact that the staking contract failed to verify the staking status of CloudNFT correctly, particularly with regards to the array indexing, is an unfortunate oversight in the contract's logic.
Neptune Mutual firmly believes that such vulnerabilities can be rooted out with robust testing and validation procedures. While smart contracts can codify an immense range of operations, their immutable nature makes it all the more essential to get them right the first time. A thorough security audit and rigorous testing environment could have brought this oversight to light, preventing a sizeable loss.
NFT Cloud's incident is further exacerbated by the fact that the staking contract was introduced merely 24 hours before the exploit. While speed to market is vital, it's equally important to ensure the safety of user funds. If suspicions of an insider job hold any ground, it also reiterates the significance of not only technical but also operational and organizational security protocols.
The world of NFTs, although filled with creative opportunities, also houses numerous pitfalls. The blurring line between genuine innovation and hastily developed projects could mean financial ruin for unsuspicious investors and users. It is here that Neptune Mutual finds its raison d'être.
By setting up a dedicated cover pool within the Neptune Mutual marketplace, NFT Cloud could have offered its users a safety net against potential smart contract vulnerabilities. Our parametric policies are designed to alleviate the pressure on affected users, granting them swift relief without the tedious process of furnishing loss proofs.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Reference Sources CertiK, PeckShield
