Premint Fingers Open Source Flaw For NFT Hack
Premint NFT Shares $500K Attack Details, Promises CompensationPremint NFT is blaming an open-source vulnerability for the platform's role in the theft of approximately half a million dollars-worth of blockchain assets, one of the largest non-fungible token attacks ever.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
Hackers stole 321 blockchain entries worth about $500,000 from 28 wallets of Premint users on Sunday, Premint founder Brenden Mulligan acknowledged in a Wednesday live session. The website allows users to join a database of potential buyers of new NFT projects.
The incident, which affected wallets containing NFTs such as Bored Ape Yacht Club and Oddities, began with an injection of malicious JavaScript, crypto security firm CertiK told Information Security Media Group on Monday (see: Hackers Steal $421K From Premint NFT Platform).
Attackers used the injection to create a dialogue box asking users to verify their wallet ownership. Users who did so saw their wallets drained of assets. In a blog post, Premint says it uses an open source tool allowing users to upload the images into an Amazon S3 bucket. The tool contained a vulnerability that allowed the attacker to evade pre-configured upload limits, Premint says.
The flaw allowed hackers to circumvent restrictions on which folders they could upload files to, allowing them to edit the site's JavaScript file to set up the attack. "This change made it so premint.xyz included another JavaScript file from a separate, newly registered domain they had full control over."
Around midnight the same day, the thieves launched a "full payload of malicious JavaScript" from the new domain. The additional code rewrote parts of the Premint login and project pages to make it appear as if Premint was requesting full access to the victims’ wallets, Premint says.
Users who fell for the prompt asking them to verify their wallet ownership also agreed to a "SetApprovalForAll" setting in their wallet, Premint said last Sunday.
SetApprovalForAll is designed to allow decentralized finance platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The function is a boon for threat actors who exploit it to transfer all of another users' tokens to their own wallets (see: $8M of Crypto Stolen by Phishing From Uniswap Liquidity Pool).
The attackers did not gain access to Premint's web or database servers, the NFT company says. "This is a good reminder of the scale of damage an attacker can level against a website from access to client side JavaScript, especially in the realm of web3. Full stack security has never been more important," it says.
Remediation
Premint says it has migrated assets to new buckets with "heightened security controls" and taken measures to prevent further modifications to the JavaScript source. It says it has also changed the process of image uploads and now uses an upload bucket that does not serve any public content.
An undisclosed third-party cybersecurity firm is conducting an independent investigation as well.
The company also released a new method for users to log into their accounts that doesn't involve connecting their wallets.
Premint on Wednesday also announced the acquisition of crypto wallet authentication company Vulcan for an undisclosed amount. "Vulcan is the safest way to prove wallet / NFT ownership in Discord," the company tweeted.
Compensation
The company says it will compensate victims of the theft. "We took a snapshot of the floor price of the stolen NFTs this morning, and we'll be transferring ETH to the affected wallet in the next 7 days," it tweeted on Wednesday.
"This is a ONE TIME action, for this very specific event, and only for the wallets on the linked list. We know this isn't a perfect solution, but we feel like it's an objective, scalable way of dealing with a horrible situation for many people," the company tweeted.
The company finalized a list of victims eligible for compensation by sharing on Twitter a form for the affected parties to fill out and comparing those entries with the results of an on-chain investigation on the stolen NFTs.
In a separate tweet thread, Mulligan disclosed that the company reinstated two of the most valuable NFTs stolen during the attack. At the time of writing this story, the restored NFTs were worth a total of $138,715.64: the BAYC #3613 NFT was worth $125,009.77 and the Azuki #9024 NFT was worth $13,705.87.
PREMINT will be compensating victims of the July 17 incident.
— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 20, 2022
We took a snapshot of the floor price of the stolen NFTs this morning, and we'll be transferring ETH to the affected wallet in the next 7 days. https://t.co/5tM7RYnEVs