QI Quadriga Initiative

Apr 2025 - BTNFT Contract BTT Rewards Not Validating NFT Ownership - $19k (Global)

The BTNFT smart contract was created on January 3rd, 2025. It is unclear if this is somehow related to BitTorrent.

Smart Contract Address: 0x0fc91b6fea2e7a827a8c99c91101ed36c638521b

According to TenArmor, this is "[a] simple logic bug! Anyone can claim the BTT token reward by transferring BTTNFT to the contract itself without validation of NFT ownership."

TenArmor and Tikkala Security have both reported that the amount lost was $19k.

It is unclear how the project or those who may be affected have reacted. The incident was reported on by Tikkala Security and TenArmor.

There does not appear to be any announcement about the incident. It is believed that there is no recovery or investigation underway.

There is no indication that any assistance is available for affected users.

It is unclear if any future investigation or recovery will occur.

Further Analysis

The BTNFT smart contract was deployed, though its connection to BitTorrent remains uncertain. A vulnerability in the contract's logic allowed anyone to exploit the reward mechanism by transferring BTNFT tokens to the contract without needing to prove NFT ownership. This flaw enabled unauthorized claims of BTT token rewards. Security firms TenArmor and Tikkala Security reported the exploit, estimating the total loss at $19,000. As of now, there has been no public response from the project, no recovery effort or investigation announced, and no support offered to affected users.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

Numa Money Collateral Loss via Flash Loan Price Manipulation > > < < YB Token Sandwich Attack Due To No Slippage Protection

Sources/Further Reading

TenArmor - "Our system has detected a suspicious attack involving #BTNFT on #BSC, resulting in an approximately loss of $19K." - Twitter/X (Dec 31)
First Attack Transaction - BSCScan (Dec 31)
Second Attack Transaction - BSCScan (Dec 31)
Tikkala Research - "BTNFT was hacked and it lost about $19k." - Twitter/X (Dec 31)
The Attacker's BSC Address - BSCScan (Dec 31)
BTNFT Smart Contract Address - BSCScan (Dec 31)
Binance Transaction Hash: 0x250217f069... (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.