Land of Genesis Mint Permission Hack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
The Land of Genesis NFTs don't appear to have a widely known homepage. There are a maximum of 1,500 of them. An attacker appears to have minted a portion of NFTs that weren't supposed to be minted. Most funds remain in the attacker's wallet.
About Land of Genesis
"Welcome to the home of land on OpenSea. Discover the best items in this collection." "Land of Genesis NFT is the ecological core andeconomic construction foundation of Miracle Farm,with a total of 1500 scarce resources.If you ownland NFT will get the entrance ticket of MiracleFarm ecology."
An attacker repeatedly minted over 200 LAND NFTs and sold them all for a net gain of roughly $150,000 USD.
|April 3rd, 2023 9:20:49 PM MDT||Land of Genesis NFT Sold||Land of Genesis NFT #1 is sold for 12.18 BNB.|
|April 26th, 2023 11:16:29 PM MDT||Binance Smart Chain Transaction||TBD what is this transaction? Early mint?|
|May 14th, 2023 10:39:50 AM MDT||Malicious Minting Transaction||The malicious minting transaction occurs on the Binance Smart Chain. In this transaction, 200 NFTs are minted by the attacker exploiting the lack of validation.|
|May 15th, 2023 12:42:03 AM MDT||Foresight News Report||Foresight News reports on the incident (in Chinese).|
|May 15th, 2023 12:46:00 AM MDT||Beosin Alert on Twitter||An alert is flagged on Twitter by Beosin.|
|May 15th, 2023 1:57:00 AM MDT||DeDotFiSecurity Report||A technical analysis is shared on DeDotFiSecurity Twitter.|
|May 24th, 2023 7:52:13 PM MDT||Odaily Planet Daily News Report||The situation is published in Chinese language news site Odaily Planet Daily. TBD summarize.|
On May 14th, 2023 10:39:50 AM MDT, there were 200 Land of Genesis NFTs minted.
Smart Contract: 
Malicious Smart Contract: 
"Odaily Planet Daily News According to Beosin EagleEye’s security risk monitoring, early warning and interruption platform monitoring under the block chain security audit company Beosin, on May 14, Beijing time, DeFi Agreementland was suspected of being attacked, with a loss of approximately US$150,000. Beosin Trace traced and found that 149,616 BUSDs have been stolen."
"The reason for the attack was the lack of mint authority control. Specifically, there are several miner addresses at the （ project side mint NFT, including 0x2e59983715d2f92468fa5ae3f9aab4e930e3ac78; ）2（ attacker call 0x2e59，Use the NFT cast in the previous step to exchange a large amount of XQJ tokens （ for each NFT to 200 XQJ） until the contract cannot be replaced by XQJ; （4） The attacker exchanged 149,616 BUSDs;（5."
"Some of the miner addresses of the project can mint unlimited quantity of NFTs, including this wallet: 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7"
"The scammer calls 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract to mint 200 NFTs"
"Then, the scammer calls the 0x2c672a34 function of the 0xeab03ad7ea0ac5afb272b592bef88cf93ed190c5 contract to swap for a large amount of $XQJ using the previous minted NFTs (200 $XQJ per NFT)
The attacker swaps 28,601 $XQJ for 149,616 $BUS"
"The scammer minted NFTs again until the NFT issue limit was reached"
DeDotFiSecurity Technical Analysis
The DeDotFiSecurity Twitter posted a technical analysis explaining the exploit on Twitter.
~$150,000 Exploit Alert
Today, $LAND was exploited for 200 NFTs, caused by a lack of permission control on mint
Here`s the on-chain flow of the attack
1/ Exploit tx https://bscscan.com/tx/0xe4db1550e3aa78a05e93bfd8fbe21b6eba5cce50dc06688949ab479ebed18048
Some of the miner addresses of the project can mint unlimited quantity of NFTs, including this wallet: 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7
The scammer calls 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract to mint 200 NFTs
2/ Then, the scammer calls the 0x2c672a34 function of the 0xeab03ad7ea0ac5afb272b592bef88cf93ed190c5 contract to swap for a large amount of $XQJ using the previous minted NFTs (200 $XQJ per NFT)
The attacker swaps 28,601 $XQJ for 149,616 $BUS
3/ The scammer minted NFTs again until the NFT issue limit was reached
Total Amount Lost
The total amount lost has been estimated at $150,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
The incident was included as a hack on the SlowMist website.
Translated News Article
Below is a translation of the news article which appeared on the Odaily Planet Daily News website.
Security company: DeFi protocol land is suspected of being attacked, with a loss of about 150,000 US dollars
Odaily Planet Daily News According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin, on May 14th, Beijing time, the DeFi protocol land was suspected of being attacked, with a loss of about 150,000 US dollars. Beosin Trace found that 149,616 BUSD has been stolen, and most of the stolen funds are still at the attacker's address.
The reason for the attack is the lack of mint permission control. Specifically, (1) the project has several miner addresses that can mint NFT, including the 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract; (2) the attacker calls the 0x2e599883715d2f92468fa5ae3f9aab4e930e3ac7 contract to mint 200 NFTs; (3) attack The user calls the 0x2c672a34 function of the 0xeab03ad7ea0ac5afb272b592bef88cf93ed190c5 contract, using The NFT minted in one step is exchanged for a large number of XQJ tokens (each NFT is exchanged for 200 XQJ), until the contract cannot be exchanged for XQJ; (4) The attacker exchanged 28,601 XQJ for 149,616 BUSD; (5) The attacker mint NFT again until the NFT The upper limit of issuance, the attacker still holds 733 NFTs after the attack.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
"Most of the stolen funds are still at the attacker's address."
There do not appear to be any further developments to play out in this situation.
Individual Prevention Policies
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
- land - Collection - OpenSea (May 15, 2023)
- Land of Genesis NFT #1 - OpenSea (May 24, 2023)
- land Collections - BitKeep NFT (May 15, 2023)
- land (land) Token Tracker - BscScan (May 15, 2023)
- DeDotFiSecurity - "Today, $LAND was exploited for 200 NFTs, caused by a lack of permission control on mint" - Twitter (May 15, 2023)
- BeosinAlert - "The attacker minted NFTs again until the NFT issue limit was reached." - Twitter (May 15, 2023)
- Transaction Selling Land NFT #1 For 12.18 BNB - BscScan (May 24, 2023)
- Binance Transaction Hash (Txhash) Details | BscScan (May 15, 2023)
- Minting Attack Transaction - BSCScan (May 16, 2023)
- Beosin: The DeFi protocol land is suspected of being attacked, and the loss is about 150,000 US dollars - Foresight News (May 15, 2023)
- BeosinAlert - "$land was exploited with a loss of 149,616 $BUSD" - Twitter (May 16, 2023)
- 安全公司：DeFi协议land疑似遭到攻击，损失约15万美元-快讯-ODAILY (May 15, 2023)
- Malicious Smart Contract 0x2e59...3ac7 - BscScan (May 15, 2023)
- SlowMist Hacked - SlowMist Zone (Jun 26, 2021)