defi-detective-alleges-this-‘suspicious’-smart-contract-code-may-put-dozens-of-projects-at-risk

DeFi detective alleges this ‘suspicious’ smart contract code may put dozens of projects at risk

“TLDR: they can pull $$ even if the owner is the null address,” writes Zachxbt.

4672 Total views

32 Total shares

DeFi detective alleges this ‘suspicious’ smart contract code may put dozens of projects at risk

According to famed decentralized finance (DeFi) detective Zachxbt, 31 nonfungible token (NFT) projects may be at risk due to “suspicious code.” In a lengthy Twitter thread published Tuesday, the DeFi detective first raised the issue of NFT project Thestarlab, which was allegedly compromised for 197.175 Ether (ETH), worth $580,325 at the time of publication. Zachxbt quoted fellow blockchain investigator MouseDev, who came to the following conclusion after reviewing the code behind Thestarlab: 

“The smart contract [for this project] can never truly be renounced or transferred—only an additional owner. The original deployer will always be considered the owner. This means if they still have the private key of the deployer, they can pull the money, even though the owner is the null address.”

MouseDev claimed that when the projects’ developers deployed their contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” said MouseDev.

Based on this information, Zachxbt claimed to have uncovered 31 NFT projects that all contracted the same Fiverr developer to deploy the allegedly problematic smart contract. Additionally, the DeFi detective had the following remarks:

“Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able migrate contracts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”

1/ Recently a NFT project was

compromised rugging the team of

197 ETH. Interestingly enough,

suspicious code lay within the

smart contract potentially putting

31 other NFT projects at risk. How

is this possible you ask? Well let’s

dive in. pic.twitter.com/NelTIkoNVm

— zachxbt (@zachxbt) March 8, 2022