QI Quadriga Initiative

Jan 2025 - The Idols NFT Self Reflection Rewards Vulnerability - $324k (Global)

"The Idols are the guardians of Ethereum. Born from an Offering that locked away staked ETH forever, the Idols made a solemn vow to protect the blockchain for all time."

The Idols are a series of unique NFTs representing guardians of Ethereum, born from an offering that locked staked ETH forever. The Idols, such as the Ape Idol, Neptune Idol, and Armored Zombie Idol, have sworn to protect the blockchain. They are associated with the $VIRTUE token, an ERC20 token that can be staked to earn a share of the commission from all Idol NFT trades. The system operates in a virtuous cycle: 7.5% of commission from Idol NFT sales is paid to $VIRTUE stakers, and stETH rewards are distributed to NFT owners, further reinforcing the cycle. This ecosystem is 100% community-aligned, with staked ETH powering the Idol Treasury.

"The root cause of the exploit was a flawed logic in the _beforeTokenTransfer function, which mishandled the claiming of rewards during NFT (ERC721 tokens) transfers when the sender (_from) and receiver (_to) were the same address. This logic oversight allowed the attacker to repeatedly claim stETH rewards by performing self-transfers."

"When _from and _to are the same, _beforeTokenTransfer first calls _claimEthRewards(_from) to claim pending stETH rewards for the sender. This action calculates the sender’s rewards and transfers them based on their current claimedSnapshots value. This uses the getPendingStethReward function, which calculates rewards as:(balanceOf(_user) * (rewardPerGod - claimedSnapshots[_user]))"

"After claiming the rewards, if the sender has no NFTs (ERC721 tokens) left after the transfer (balanceOf(_from) == 1), their claimedSnapshots entry is deleted. This reset removes the record of previously claimed rewards for the sender."

"Since _from and _to are the same, _claimEthRewards(_to) is called next. At this point, claimedSnapshots[_to] has been either deleted or reset in the previous step. The reward calculation is repeated:(balanceOf(_to) * (rewardPerGod - 0)) from getPendingStethReward."

"The subtraction of 0 (due to the deleted or reset claimedSnapshots) inflates the calculated rewards, enabling the same address to claim rewards again."

"Inside _claimEthRewards, after transferring the current rewards, claimedSnapshots[_user] is reset to rewardPerGod. This reset makes it appear as though the user has not claimed rewards yet, allowing further exploitation in subsequent self-transfers. The reset occurs irrespective of whether the transfer involves a new receiver or the same address."

"The attacker exploited this logic by repeatedly initiating self-transfers of NFTs (ERC721 tokens). Each iteration reset claimedSnapshots, enabling them to claim rewards anew in every transaction."

"The Idols NFT team has identified suspicious transactions on the Idols Main contract. The team is thoroughly exploring all available options to resolve the situation as quickly as possible and ensure the security of the project." "As a precautionary measure, the team advises users to refrain from interacting with any contracts related to the Idols NFT project until further notice to avoid potential risk."

"Suspicious transactions have been discovered today on the Idols Main contract. Our team is actively investigating the issue and exploring all options to resolve the situation as quickly as possible. DO NOT interact with any contracts related to the project until further notice."

Further Analysis

The Idols are a series of unique NFTs representing guardians of Ethereum, born from an offering that locked staked ETH forever. On January 15, 2025, the Idols NFT contract on Ethereum was exploited, leading to the loss of approximately $340K in stETH. The vulnerability stemmed from flawed logic in the _beforeTokenTransfer function, which mishandled reward claims when the sender and receiver were the same address. This oversight allowed an attacker to repeatedly claim stETH rewards through self-transfers of NFTs. The Idols NFT team is working on resolving the issue and there is no word yet on any potential remuneration.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

DAWN Internet Twitter/X Account Token Phishing Attacks > > < < Mosca Exit Program Double Withdrawal Exploit 2

Sources/Further Reading

Rekt - The Idols NFT - Rekt (Dec 31)
The Idols NFT (Dec 31)
https://opensea.io/collection/idolsnft (Dec 31)
@theidolsnft Twitter (Dec 31)
@TheIdolsNFT Twitter (Dec 31)
The Idols NFT Hack Analysis. Overview: | by Shashank | Jan, 2025 | SolidityScan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
@TenArmorAlert Twitter (Dec 31)
@TenArmorAlert Twitter (Dec 31)
@TikkalaResearch Twitter (Dec 31)
@TikkalaResearch Twitter (Dec 31)
The Idols NFT loses $324,000 to exploit (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.