- Type: Exploit
- Network: Ethereum
- Total lost: 1 NFT (unknown price)
- Category: Access Control
- Exploited contracts:
- Attack transactions:
- Attack Block: 14163042
- Date: Feb 08, 2022
- Reproduce:
forge test --match-contract Exploit_SandBox -vvv
- Find a player you don't like
- Call
_burn
with(enemyAddress, enemyAddress, id)
- You have destroyed your enemy NFT
The Sandbox Land contract has a _burn
method that destroys an NFT.
function _burn(address from, address owner, uint256 id) public {
require(from == owner, "not owner");
_owners[id] = 2**160; // cannot mint it again
_numNFTPerAddress[from]--;
emit Transfer(from, address(0), id);
}
The method apparently intends to authenticate the burn
, but does so using
parameters to the function instead of msg.sender
. This leads to the attack being
quite trivial: the attacker just sends from == owner
.
- Use
msg.sender
instead of the function parameterfrom