ERC-X Miner Contract Exploit on ERC-404 Standard: our Expert Analysis
Disclaimer: The information presented in the article “ERC-X Miner Contract Exploit on ERC-404 Standard: our Expert Analysis” is provided for informational purposes only and should not be construed as advice or guidance for any purpose. Crypton Studio is not responsible for any further actions taken by readers and does not recommend taking any actions based solely on this information.
ERC-X contract exploit of the MINER project
On 14 February 2024, the MINER project’s ERC-X contract was exploited on the Ethereum mainnet due to a double-spend vulnerability resulting in a loss of 168.8 ETH (about $470,000).
The ERC-X contract is a combination of ERC-20, ERC-721, ERC-1155 and ERC-404 and their extensions.
MINER is a collection of 100,000 avatars linked to ERC-X tokens.
What is ERC-404?
The ERC-404 is a new experimental standard that allows to combine the standard of fungible tokens (ERC-20) and non fungible tokens (ERC-721).
The idea of these tokens is that non- fungible tokens are represented as fungible tokens and the reverse. Thus it is possible to increase liquidity due to the fact that non fungible tokens can be traded in smaller units in the form of fungible tokens.
Let’s look at an example. An ERC20 + NFT token is equal to one ERC-404 token. 1 NFT token cannot be divided into fewer parts, while 1 ERC-20 token is usually equal to 10 to the 18th degree of units, which is its divisibility.
If the account balance is less than one ERC-404 token, it owns that amount of ERC-20. If the account balance is equal to or greater than one ERC-404, then it owns that amount of ERC-20 tokens and the relevant amount of NFTs.
NFTs can be traded on NFT marketplaces such as OpenSea, while ERC-20 tokens can be traded on decentralised exchanges such as Uniswap. This allows to capture the liquidity of both NFT marketplaces and decentralised exchanges.
It is important to note that ERC-404 is not an officially accepted standard by the Ethereum community and is experimental in itself, which in its turn implies risks.
What happened with ERC-X contract of the MINER project?
Now let’s analyse the vulnerability of the contract why this happened.
The problem is that when calling the transfer function, which is responsible for transferring tokens, there is a check that the input arguments from and to are not null addresses. But there is no check that the from address is different from the to address. This means that it is possible to specify the same address as the sender and the receiver!
Next, the transfer function calls the update function.
In the _update function you should pay attention to the fact that address balances are initially saved to memory variables, which are further used for calculations.
Then the balance of address from is updated fromBalance ( which was cached ) — value. And immediately the value of the address from the calculation toBalance (which was cached) + value is overwritten. And if the from and to addresses are the same, the data is actually updated simply by the new value of the original balance + value. And in this case, this function simply increases the address balance!
To protect from this vulnerability, simply add a check that the address from != (not equal to) the address to!
At the moment it is highly recommended not to interact with this contract!
Conclusion
This incident highlights the critical importance of auditing and following best practices in developing secure smart contracts because this is a known vulnerability.
It is also very important to be careful when interacting with new standards, especially if they are not accepted by the Ethereum community. In this case, this contract was deployed on the network only a few days before it was exploited!
At Crypton Studio, we understand the critical importance of security in blockchain development. That’s why we strictly adhere to industry-leading best practices when creating smart contracts for our clients. Our team is experienced in identifying and mitigating vulnerabilities to ensure the integrity and reliability of your smart contracts. Whether your contracts need auditing, additional verification, or ongoing support, you can trust us to provide comprehensive solutions tailored to your specific needs. Partner with Crypton Studio for robust and secure smart contract development.
Contact us by mail or message us on Telegram to learn more about our audit services and smart contracts development.
Visit our website: https://crypton.studio/en
Originally published at https://dev.to on February 16, 2024.