• Submit Mortem: NFTXMarketplace0xZap Vulnerability

    This can be a transient evaluate of the new vulnerability reported via our trojan horse bounty program.

    *Be aware this publish has been up to date on thirtieth September 2022 to incorporate the whole main points of the publish mortem.

    Incident Abstract

    The aim of the NFTXMarketplaceZap is to facilitate purchasing and promoting vault tokens at the side of minting, redeeming, and swapping on NFTX. Closing month the NFTX staff wrote and deployed a brand new contract known as NFTXMarketplace0xZap which differed from the former zap contract by way of sourcing liquidity from 0xProtocol as an alternative of simply Sushiswap. On September fifth, the NFTX staff converted to the brand new NFTXMarketplace0xZap, and customers started interacting with it when purchasing, promoting, and swapping NFTs at the NFTX dapp.

    On September thirteenth, p0n1 from SECBIT Labs, submitted an in depth trojan horse document by way of e-mail to bounty@nftx.org explaining that any one who authorized the NFTXMarketplace0xZap used to be susceptible to having NFTs stolen from whichever NFT contracts they authorized. The estimated doable loss used to be over 300 ETH in NFTs. Upon receiving the document, the NFTX staff paused minting, redeeming, and swapping throughout all vaults to negate the potential of an exploit and make allowance time to analyze and deploy a repair.

    On September 14th, a brand new vault contract used to be deployed and staged as an improve by way of the NFTX DAO. The unpause purposes had been additionally staged to observe after the improve. On September fifteenth, the vault improve used to be enacted at the DAO, adopted by way of the unpause calls, bringing the NFTX protocol again on-line for normal utilization.

    Have an effect on

    Thankfully, no property had been misplaced all the way through the incident, and no property stay in danger from the vulnerability.  There used to be no task all the way through the pause, so any person staking stock or liquidity neglected out on yield alternatives all the way through that point.

    Assault Vector

    NFTXMarketplace0xZap has an inside serve as known as _fillQuote that permits arbitrary calls. This serve as is known as by way of the mintAndSell721, buyAndSwap721, buyAndRedeem, and mintAndSell1155 purposes, permitting the general swapTarget and swapCallData parameters to be laid out in the caller.

    Because of this, an attacker may assemble arbitrary parameters to execute arbitrary code within the title of the NFTXMarketplace0xZap contract, enabling two conceivable assaults:

    1. Moving any property held within the NFTXMarketplace0xZap contract.
    2. Moving any property approved to the NFTXMarketplace0xZap contract.


    As a repair, the NFTX staff deployed a brand new NFTXVaultUpgradeable contract as an improve for all NFTX vaults. This new vault contract features a checkAddressOnDenyList serve as which will get known as by way of mintTo, redeemTo, and swapTo, blockading execution of any calls originating from the prone NFTXMarketplace0xZap. This guarantees that the in the past deployed NFTXMarketplace0xZap can’t be exploited by way of an attacker.

    A brand new NFTXMarketplace0xZap contract is being ready for an audit and has been up to date since studying concerning the vulnerability. The replace concerned casting off the power for a frontend shopper to give you the 0x integration swapTarget and as an alternative set the deal with immutably on contract advent. This swapTarget units the deal with reference that may deal with the fill request and will have to all the time level to a 0x proxy contract.

    This resolved the possible exploit risk, and we moreover applied pausable good judgment to the contract to permit for the zap processes to be halted, quite than requiring a complete protocol halt which used to be required this time.

    Tournament Timeline


    The main takeaway of this incident for the NFTX staff is that long run outer edge good contracts should be handled with the similar warning as core good contracts, particularly once they obtain authorization of customers’ property. Going ahead, any outer edge contracts will probably be audited sooner than deployment, together with the up to date NFTXMarketplace0xZap contract which is being ready for audit now.

    Subsequent Steps

    Whilst the one possibility for the NFTXMarketplace0xZap is whether it is used with the vault manufacturing facility contract (which it will probably not do because of the hardcoded deny record) we consider it’s best observe to revoke any get entry to the NFTXMarketplace0xZap contract has in your NFTs if they don’t seem to be to be of use.

    1. Pass to https://revoke.money/
    2. Attach your account
    3. To find any mentions of 0xbbc53022Af15Bb973AD906577c84784c47C14371
    4. Click on at the revoke button

  • You might also like