BTNFT Contract BTT Rewards Not Validating NFT Ownership
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The BTNFT smart contract was deployed, though its connection to BitTorrent remains uncertain. A vulnerability in the contract's logic allowed anyone to exploit the reward mechanism by transferring BTNFT tokens to the contract without needing to prove NFT ownership. This flaw enabled unauthorized claims of BTT token rewards. Security firms TenArmor and Tikkala Security reported the exploit, estimating the total loss at $19,000. As of now, there has been no public response from the project, no recovery effort or investigation announced, and no support offered to affected users.[1][2][3][4][5][6][7]
About BTNFT
The BTNFT smart contract was created on January 3rd, 2025. It is unclear if this is somehow related to BitTorrent.
Smart Contract Address: 0x0fc91b6fea2e7a827a8c99c91101ed36c638521b
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
A logic flaw in the BTNFT smart contract, deployed on January 3, 2025, allowed anyone to exploit the BTT reward system, resulting in a $19,000 loss.
| Date | Event | Description |
|---|---|---|
| January 3rd, 2025 4:19:22 AM MST | BTNFT Smart Contract Created | The BTNFT smart contract is first created. |
| April 18th, 2025 12:00:52 PM MDT | First Attack Transaction | The first attack transaction is accepted by the Binance Smart Chain. |
| April 18th, 2025 12:01:31 PM MDT | Second Attack Transaction | The second attack transaction is accepted by the Binance Smart Chain. |
| April 18th, 2025 2:01:00 PM MDT | Tikkala Security Tweet | Tikkala Security posts an overview summary of the protocol, both transactions, and the attacker. |
| April 19th, 2025 1:50:00 AM MDT | TenArmor Posting Tweet | TenArmor posts a tweet with both attack transactions highlighted, giving a high level explanation of the exploit condition. |
Technical Details
According to TenArmor, this is "[a] simple logic bug! Anyone can claim the BTT token reward by transferring BTTNFT to the contract itself without validation of NFT ownership."
Total Amount Lost
TenArmor and Tikkala Security have both reported that the amount lost was $19k.
The total amount lost has been estimated at $19,000 USD.
Immediate Reactions
It is unclear how the project or those who may be affected have reacted. The incident was reported on by Tikkala Security and TenArmor.
Ultimate Outcome
There does not appear to be any announcement about the incident. It is believed that there is no recovery or investigation underway.
Total Amount Recovered
There is no indication that any assistance is available for affected users.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
It is unclear if any future investigation or recovery will occur.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ TenArmor - "Our system has detected a suspicious attack involving #BTNFT on #BSC, resulting in an approximately loss of $19K." - Twitter/X (Accessed Aug 5, 2025)
- ↑ First Attack Transaction - BSCScan (Accessed Aug 5, 2025)
- ↑ Second Attack Transaction - BSCScan (Accessed Aug 5, 2025)
- ↑ Tikkala Research - "BTNFT was hacked and it lost about $19k." - Twitter/X (Accessed Aug 5, 2025)
- ↑ The Attacker's BSC Address - BSCScan (Accessed Aug 5, 2025)
- ↑ BTNFT Smart Contract Address - BSCScan (Accessed Aug 5, 2025)
- ↑ Binance Transaction Hash: 0x250217f069... (Accessed Aug 5, 2025)