QI Quadriga Initiative

May 2023 - Land of Genesis Mint Permission Hack - $150k (Global)

"Land of Genesis NFT is the ecological core andeconomic construction foundation of Miracle Farm,with a total of 1500 scarce resources.If you ownland NFT will get the entrance ticket of MiracleFarm ecology."

"Today, $LAND was exploited for 200 NFTs, caused by a lack of permission control on mint"

"The DeFi protocol land was suspected of being attacked and lost about 150,000 US dollars. The reason for the attack was the lack of mint permission control."

"Odaily Planet Daily News According to Beosin EagleEye’s security risk monitoring, early warning and interruption platform monitoring under the block chain security audit company Beosin, on May 14, Beijing time, DeFi Agreementland was suspected of being attacked, with a loss of approximately US$150,000. Beosin Trace traced and found that 149,616 BUSDs have been stolen."

"The reason for the attack was the lack of mint authority control. Specifically, there are several miner addresses at the ( project side mint NFT, including 0x2e59983715d2f92468fa5ae3f9aab4e930e3ac78; )2( attacker call 0x2e59,Use the NFT cast in the previous step to exchange a large amount of XQJ tokens ( for each NFT to 200 XQJ) until the contract cannot be replaced by XQJ; (4) The attacker exchanged 149,616 BUSDs;(5."

"Some of the miner addresses of the project can mint unlimited quantity of NFTs, including this wallet: 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7"

"The scammer calls 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract to mint 200 NFTs"

"Then, the scammer calls the 0x2c672a34 function of the 0xeab03ad7ea0ac5afb272b592bef88cf93ed190c5 contract to swap for a large amount of $XQJ using the previous minted NFTs (200 $XQJ per NFT)

The attacker swaps 28,601 $XQJ for 149,616 $BUS"

"The scammer minted NFTs again until the NFT issue limit was reached"

"Most of the stolen funds are still at the attacker's address."

Further Analysis

The Land of Genesis NFTs don't appear to have a widely known homepage. There are a maximum of 1,500 of them. An attacker appears to have minted a portion of NFTs that weren't supposed to be minted. Most funds remain in the attacker's wallet.

How Could This Have Been Prevented?

Multi-signature.

More Cryptocurrency Exchange Hacks/Scams/Frauds

EOS EVM Contract Drain Vulnerability > > < < LW Token Price Manipulation Attack

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Dec 31)
Contract Address 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 | BscScan (Dec 31)
安全公司:DeFi协议land疑似遭到攻击,损失约15万美元-快讯-ODAILY (Dec 31)
@BeosinAlert Twitter (Dec 31)
Beosin:DeFi 协议 land 疑似遭到攻击,损失约 15 万美元 - Foresight News (Dec 31)
https://opensea.io/collection/land-11 (Dec 31)
Binance Transaction Hash (Txhash) Details | BscScan (Dec 31)
@DeDotFiSecurity Twitter (Dec 31)
land Collections | BitKeep NFT (Dec 31)
land (land) Token Tracker | BscScan (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.