Ember Sword NFT Contract Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ember Sword Logo/Homepage

Ember Sword is a groundbreaking MMORPG that offers a unique blend of community-led gameplay and frictionless PvP and PVE experiences. Players can embark on adventures, engage in combat, or explore the world peacefully. The game incorporates AI-driven dynamic events and emphasizes player participation, aiming to revolutionize gaming. A recent vulnerability in an NFT auction contract on Polygon allowed an attacker to exploit $195k. The Ember Sword team is collaborating with audit firms and authorities to address the issue, and considering how to compensate any affected players.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]

About Ember Sword

"Ember Sword is a social sandbox MMORPG taking place in a player-driven universe where the adventure finds you. Built by a team of imaginative artists, engineers, and game designers, Ember Sword offers a unique community led and frictionless PvP and PVE player experience, and allows players to have true ownership of digital gaming assets."

"Ember Sword is an open-world MMORPG with a unique community-led and frictionless PvP and PVE player experience. Players can choose their own adventure by conquering mysterious and dangerous lands, engaging in classless combat or exploring the world as peaceful foragers."

"Together, players can go on epic adventures, and share experiences and knowledge. They can choose to prove their worth and skill by defeating monsters, bosses, and other players. They can also choose to explore the world as peaceful foragers of goods and collectibles. What you do and when is entirely up to you! Each weapon type has its own associated skill and so do other RPG elements like crafting. Ember Sword will feature challenging end-game PVE, hardcore PvP, a living economy, and much more!"

"Our groundbreaking AI-Game Master ensures epic dynamic events are always awaiting you and your friends. If players find themselves wandering around the outlands of a nation they will likely be approached by an NPC or creature offering the opportunity to create or participate in a new experience.""

"Remember the thrill of your first unforgettable journey into the world of games? The heart-pounding excitement, the camaraderie, the sense of limitless adventure, the lifelong friends we make along the way and the sense of community we feel while doing the thing we love - playing together. At Ember Sword, we're not just recreating that feeling - we're taking it to new heights, we aim to revolutionize how great games are accessed and played. Taking full advantage of modern technology to enhance player participation, we can create memorable experiences for generations to come.

Blending early MMORPG (Massively Multiplayer Online Role Playing Game) nostalgia with modern innovation, we strive to create a game that unites players from diverse backgrounds to forge their unique stories. Ember Sword is our invitation for you to embark on a journey of adventure, friendship, and enduring memories.

Join us as we shape the future of gaming in the enthralling world of Ember Sword, reigniting the spark of discovery and connection."

"Step into the world of Ember Sword, where the community of players reign supreme. At Ember Sword, our primary mission is to create a captivating MMORPG that places the gameplay experience above everything else. Ember Sword has the fast-paced combat of aRPGs, combined with the isometric view and skill-based abilities of MOBAs, set in a persistent MMORPG sci-fi fantasy universe.

Whether you are a free2play warrior, or a driving force in the bustling economy, we have built a world which ensures a vibrant and thriving ecosystem for all to benefit from. From rare and in-demand cosmetic items and dynamic land ownership, to social emotes and Collectables, players will have the chance to acquire, trade, and build a landscape like no other. These player controlled items on the blockchain not only add a sense of ownership and rarity, but also bring a new level of excitement and thrills to the game. This immersive MMORPG puts the power of the game in the hands of its players, creating an exciting and dynamic experience unlike any other."

"According to Foresight News, a vulnerability has been detected in the unverified Ember Sword NFT auction contract by Certik. The flaw has reportedly allowed the extraction of 60 WETH, equivalent to approximately $195,000, from 159 victims who approved the contract. Certik has urged users to withdraw their approval for the related contract on Polygon."

"This incident only affects users who engaged with the specific Polygon contract in 2021 and did not subsequently revoke their token approvals. Users with Ember Sword items on Immutable X are unaffected as Ember Sword transitioned to IMX in 2022. Our priority is the security and privacy of all our community members. Please always ensure you are taking the right steps to keep your wallets safe and secure."

"This contract adheres to the Open Zeppelin standard, and we are actively collaborating with audit firms, multiple agencies, and authorities to investigate."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ember Sword NFT Contract Vulnerability
Date Event Description
April 27th, 2024 12:20:29 PM MDT Malicious Transaction The specific transaction on the Polygon blockchain.
April 27th, 2024 8:41:00 PM MDT BlockSec Phalcon Tweet BlockSec Phalcon posts a tweet about the malicious activity being discovered. The loss is initially reported as $240K. However, they report finding no direct way to contact the project.
April 27th, 2024 9:33:39 PM MDT Binance News Report The situation is reported in Binance News.
April 27th, 2024 9:35:00 PM MDT CertiK Alert Posted CertiK Alert posts about the vulnerability.
April 27th, 2024 10:08:13 PM MDT CoinLive Article A CoinLive article is published about the Ember Swrod NFT exploit.
April 28th, 2024 1:48:00 PM MDT Mark Laursen Tweet Founder Mark Laursen of ember games tweets an announcement about the exploit.
April 28th, 2024 2:38:00 PM MDT Revoke Address Added The post is modified to include the smart contract address to revoke permissions for.
April 28th, 2024 3:08:00 PM MDT Mark Laursen Tweet Founder Mark Laursen of ember games tweets about hypernative labs bringing the issue to their attention. They are discussing internally how to compensate victims.
April 29th, 2024 1:31:00 AM MDT Hypernative Discussion Hypernative discusses the tweet by Mark Laursen, claiming they continue "to detect exploits first when everyone else misses".
April 29th, 2024 1:52:00 AM MDT BlockSec Tweet Drama BlockSec jabs at Hypernative claiming to be first to detect the incident. "detect exploits first when everyone else misses".
April 29th, 2024 9:17:00 PM MDT SlowMist Mention SlowMist includes the incident in a weekly summary tweet which they put together.
April 29th, 2024 11:00:18 PM MDT YouTube Short A YouTube short video is published about the incident.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $195,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (May 23, 2024)
  2. https://www.binance.com/en/square/post/2024-04-28-unverified-ember-sword-nft-auction-contract-vulnerability-detected-users-cautioned-7364618042609 (May 23, 2024)
  3. Ember Sword NFT & Sale - byterocket (May 23, 2024)
  4. Certik: Уязвимость аукционного контракта Ember Sword NFT привела к убыткам на $195 000 (May 23, 2024)
  5. Ember Sword NFT Auction Contract Vulnerability Results in Significant Loss - YouTube (May 23, 2024)
  6. @CertiKAlert Twitter (May 23, 2024)
  7. Certik: Unverified Ember Sword NFT auction contract vulnerability has caused nearly $200,000 in losses (May 23, 2024)
  8. https://embersword.com/whitepaper (May 23, 2024)
  9. https://embersword.com/ (May 23, 2024)
  10. Security Incidents | Phalcon Explorer (May 23, 2024)
  11. 0x11a62441b20e74d586 | Phalcon Explorer (May 23, 2024)
  12. Polygon PoS Chain Transaction Hash (Txhash) Details | PolygonScan (May 23, 2024)
  13. @MarkLaursen Twitter (May 23, 2024)
  14. @MarkLaursen Twitter (May 23, 2024)
  15. @MarkLaursen Twitter (May 23, 2024)
  16. @Phalcon_xyz Twitter (May 23, 2024)
  17. https://dappradar.com/dapp/ember-sword-polygon (May 23, 2024)
  18. Web3 Hack Statistics, QuillMonitor - QuillAudits (May 23, 2024)
  19. @SlowMist_Team Twitter (May 13, 2024)
  20. https://opensea.io/collection/embersword-land (May 23, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ember_Sword_NFT_Contract_Vulnerability&oldid=5969"