TL;DR#
On February 24, 2023, NFT Cloud was exploited, resulting in the loss of 265 BNB, worth approximately $81,000.
Introduction to NFT Cloud#
NFT Cloud is a platform that provides a collection of tools and services to Web3 entrepreneurs, creators, and enthusiasts.
Vulnerability Assessment#
The root cause of the exploit is that the staking contract didn't check the staking status of CloudNFT correctly.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The platform works in such a way that users can deposit $CloudNFT and claim $Cloud tokens as rewards.
Step 3:
According to the terms of their contract, one $CloudNFT can only be deposited once in order to claim the reward.
Step 4:
However, the staking contract didn't check the staking status of the first deposited token.
Step 5:
Arrays' indexing starts from zero. But in the require statements of the deposit function, the indexing was set to start from 1, effectively bypassing the first token.
Therefore, validations for NFT ownership and lockUntil checks are bypassed when only one token is deposited.
Step 6:
The attacker deposited only one $CloudNFT to bypass this validation and repeated this process multiple times to claim higher rewards.
Step 7:
The exploiter swapped all of the stolen $Cloud tokens for BSC-USD and later funneled them into Tornado Cash.
Aftermath#
Following the attack, the price of their $Cloud token dropped by more than 75%. The staking contract was deployed just 24 hours before the exploit occurred. It is also possible that this was an insider job, with the perpetrator carefully planning the exploit.
The team neither shared the details of the incident nor mentioned any information regarding the possible recovery of funds for the affected users. However, they have stated that the problem has been fixed.
Solution#
In the past few years, the NFT space has grown in popularity, which makes it a good target for scammers. It is therefore crucial to conduct due diligence on the authenticity of NFT projects because of the prevalence of scams in the industry. Failure to do so could result in a financial loss, so when evaluating NFT projects, it is critical to be vigilant and cautious.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with NFT Cloud had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources CertiK, PeckShield
