Hack Analysis
CIVNFT Hack Analysis
Yusuf TEZCAN
•
#solidity#caligo#hacking
Overview:
On July 8, 2023, CIVNFT suffered an attack on the Ethereum chain, due to an access control issue leading to a loss of ~180K USD.
Smart Contract Hack Overview:
Fig: Attack Transaction
Decoding the Smart Contract Vulnerability:
- The absence of access controls for a specific function, identified by the signature 0x7ca06d68, was the root cause of this issue.
- This vulnerability allowed malicious actors to manipulate the
_uniswapV3MintCallbackvalue and execute the attack contract directly. - As a consequence, tokens such as $CIV and $USDC, which had been approved for use in CIVNFT, were stolen and transferred to the attacker.
Fig: Attack flow
Mitigation and Best Practices:
- Introduce an access control mechanism that restricts the ability to perform certain operations only to authorized addresses or roles within the project. This ensures that only trusted entities can initiate the process.
- Apply function modifiers to validate the caller’s permissions before executing critical operations. It is encouraged to utilize libraries from OpenZeppelin to ensure the usage of the “onlyOwner” modifier for the functions meant to be called only by the owner of the contract.
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at Caligo provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://caligosec.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at Caligo
Caligo — Smart Contract Vulnerability Scanner
Conclusion:
Caligo is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts.
Follow us on our Social Media for Web3 security-related updates.
Caligo Security — LinkedIn | Twitter | Telegram