Premint Fingers Open Source Flaw For NFT HackPremint NFT Shares $500K Attack Details, Promises Compensation
Premint NFT is blaming an open-source vulnerability for the platform's role in the theft of approximately half a million dollars-worth of blockchain assets, one of the largest non-fungible token attacks ever.
Hackers stole 321 blockchain entries worth about $500,000 from 28 wallets of Premint users on Sunday, Premint founder Brenden Mulligan acknowledged in a Wednesday live session. The website allows users to join a database of potential buyers of new NFT projects.
Attackers used the injection to create a dialogue box asking users to verify their wallet ownership. Users who did so saw their wallets drained of assets. In a blog post, Premint says it uses an open source tool allowing users to upload the images into an Amazon S3 bucket. The tool contained a vulnerability that allowed the attacker to evade pre-configured upload limits, Premint says.
Users who fell for the prompt asking them to verify their wallet ownership also agreed to a "SetApprovalForAll" setting in their wallet, Premint said last Sunday.
SetApprovalForAll is designed to allow decentralized finance platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The function is a boon for threat actors who exploit it to transfer all of another users' tokens to their own wallets (see: $8M of Crypto Stolen by Phishing From Uniswap Liquidity Pool).
An undisclosed third-party cybersecurity firm is conducting an independent investigation as well.
The company also released a new method for users to log into their accounts that doesn't involve connecting their wallets.
Premint on Wednesday also announced the acquisition of crypto wallet authentication company Vulcan for an undisclosed amount. "Vulcan is the safest way to prove wallet / NFT ownership in Discord," the company tweeted.
The company says it will compensate victims of the theft. "We took a snapshot of the floor price of the stolen NFTs this morning, and we'll be transferring ETH to the affected wallet in the next 7 days," it tweeted on Wednesday.
"This is a ONE TIME action, for this very specific event, and only for the wallets on the linked list. We know this isn't a perfect solution, but we feel like it's an objective, scalable way of dealing with a horrible situation for many people," the company tweeted.
The company finalized a list of victims eligible for compensation by sharing on Twitter a form for the affected parties to fill out and comparing those entries with the results of an on-chain investigation on the stolen NFTs.
In a separate tweet thread, Mulligan disclosed that the company reinstated two of the most valuable NFTs stolen during the attack. At the time of writing this story, the restored NFTs were worth a total of $138,715.64: the BAYC #3613 NFT was worth $125,009.77 and the Azuki #9024 NFT was worth $13,705.87.
PREMINT will be compensating victims of the July 17 incident.— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 20, 2022
We took a snapshot of the floor price of the stolen NFTs this morning, and we'll be transferring ETH to the affected wallet in the next 7 days. https://t.co/5tM7RYnEVs