QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$324 000 USD
JANUARY 2025
GLOBAL
THE IDOLS
DESCRIPTION OF EVENTS

"The Idols are the guardians of Ethereum. Born from an Offering that locked away staked ETH forever, the Idols made a solemn vow to protect the blockchain for all time."
The Idols are a series of unique NFTs representing guardians of Ethereum, born from an offering that locked staked ETH forever. The Idols, such as the Ape Idol, Neptune Idol, and Armored Zombie Idol, have sworn to protect the blockchain. They are associated with the $VIRTUE token, an ERC20 token that can be staked to earn a share of the commission from all Idol NFT trades. The system operates in a virtuous cycle: 7.5% of commission from Idol NFT sales is paid to $VIRTUE stakers, and stETH rewards are distributed to NFT owners, further reinforcing the cycle. This ecosystem is 100% community-aligned, with staked ETH powering the Idol Treasury.
"The root cause of the exploit was a flawed logic in the _beforeTokenTransfer function, which mishandled the claiming of rewards during NFT (ERC721 tokens) transfers when the sender (_from) and receiver (_to) were the same address. This logic oversight allowed the attacker to repeatedly claim stETH rewards by performing self-transfers."
"When _from and _to are the same, _beforeTokenTransfer first calls _claimEthRewards(_from) to claim pending stETH rewards for the sender. This action calculates the sender’s rewards and transfers them based on their current claimedSnapshots value. This uses the getPendingStethReward function, which calculates rewards as:(balanceOf(_user) * (rewardPerGod - claimedSnapshots[_user]))"
"After claiming the rewards, if the sender has no NFTs (ERC721 tokens) left after the transfer (balanceOf(_from) == 1), their claimedSnapshots entry is deleted. This reset removes the record of previously claimed rewards for the sender."
"Since _from and _to are the same, _claimEthRewards(_to) is called next. At this point, claimedSnapshots[_to] has been either deleted or reset in the previous step. The reward calculation is repeated:(balanceOf(_to) * (rewardPerGod - 0)) from getPendingStethReward."
"The subtraction of 0 (due to the deleted or reset claimedSnapshots) inflates the calculated rewards, enabling the same address to claim rewards again."
"Inside _claimEthRewards, after transferring the current rewards, claimedSnapshots[_user] is reset to rewardPerGod. This reset makes it appear as though the user has not claimed rewards yet, allowing further exploitation in subsequent self-transfers. The reset occurs irrespective of whether the transfer involves a new receiver or the same address."
"The attacker exploited this logic by repeatedly initiating self-transfers of NFTs (ERC721 tokens). Each iteration reset claimedSnapshots, enabling them to claim rewards anew in every transaction."
"The Idols NFT team has identified suspicious transactions on the Idols Main contract. The team is thoroughly exploring all available options to resolve the situation as quickly as possible and ensure the security of the project." "As a precautionary measure, the team advises users to refrain from interacting with any contracts related to the Idols NFT project until further notice to avoid potential risk."
"Suspicious transactions have been discovered today on the Idols Main contract. Our team is actively investigating the issue and exploring all options to resolve the situation as quickly as possible. DO NOT interact with any contracts related to the project until further notice."
The Idols are a series of unique NFTs representing guardians of Ethereum, born from an offering that locked staked ETH forever. On January 15, 2025, the Idols NFT contract on Ethereum was exploited, leading to the loss of approximately $340K in stETH. The vulnerability stemmed from flawed logic in the _beforeTokenTransfer function, which mishandled reward claims when the sender and receiver were the same address. This oversight allowed an attacker to repeatedly claim stETH rewards through self-transfers of NFTs. The Idols NFT team is working on resolving the issue and there is no word yet on any potential remuneration.
Rekt - The Idols NFT - Rekt (Jan 16)
The Idols NFT (Jan 16)
https://opensea.io/collection/idolsnft (Jan 16)
@theidolsnft Twitter (Jan 16)
@TheIdolsNFT Twitter (Jan 16)
The Idols NFT Hack Analysis. Overview: | by Shashank | Jan, 2025 | SolidityScan (Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Jan 16)
@TenArmorAlert Twitter (Jan 16)
@TenArmorAlert Twitter (Jan 16)
@TikkalaResearch Twitter (Jan 16)
@TikkalaResearch Twitter (Jan 16)
