“TLDR: they can pull $$ even if the owner is the null address,” writes Zachxbt.
According to famed decentralized finance (DeFi) detective Zachxbt, 31 nonfungible token (NFT) projects may be at risk due to “suspicious code.” In a lengthy Twitter thread published Tuesday, the DeFi detective first raised the issue of NFT project Thestarlab, which was allegedly compromised for 197.175 Ether (ETH), worth $580,325 at the time of publication. Zachxbt quoted fellow blockchain investigator MouseDev, who came to the following conclusion after reviewing the code behind Thestarlab:
“The smart contract [for this project] can never truly be renounced or transferred—only an additional owner. The original deployer will always be considered the owner. This means if they still have the private key of the deployer, they can pull the money, even though the owner is the null address.”
MouseDev claimed that when the projects’ developers deployed their contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” said MouseDev.
Based on this information, Zachxbt claimed to have uncovered 31 NFT projects that all contracted the same Fiverr developer to deploy the allegedly problematic smart contract. Additionally, the DeFi detective had the following remarks:
“Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able migrate contracts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”
1/ Recently a NFT project was
compromised rugging the team of
197 ETH. Interestingly enough,
suspicious code lay within the
smart contract potentially putting
31 other NFT projects at risk. How
is this possible you ask? Well let’s
dive in. pic.twitter.com/NelTIkoNVm
— zachxbt (@zachxbt) March 8, 2022