MetaDragon NFT Ownership Check Commented
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
MetaDragon is an online play to earn game. The MetaDragon smart contract was released without an ownership check on the NFTs which were minted. This allowed anyone to claim and sell the NFTs of other users. Over 4,000 NFTs were stolen through this lack of check. The team has reportedly compensated all users who were affected.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]
About MetaDragon
"Welcome to MetaDragon! We are Lord of MetaDragon, Let’s Collect, Hatch, Battle, Compete and Auction NFTs Together"
"MetaDragon protocol is known for its novel approach to Play-to-Earn (P2E) gaming. Which integrates elements such as NFT trading, gaming, and financial incentives. The platform uses the NFT111 protocol to enhance liquidity and stability within its ecosystem. And this not only affects the financial stability of MetaDragon but also the trust within the community and potential investors."
"The META project was initiated in 2022 and has undergone over two years of development and construction. Many people, including technical and community members, have been involved. As a web3 startup team, the developers have invested a significant amount of funds and endured a lengthy development process, with long-term support and companionship from the META community."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 29th, 2024 2:47:05 AM MDT | Blockchain Transaction | The oldest exploit transaction reported on the BlockSec dashboard. |
| May 29th, 2024 3:19:00 AM MDT | BlockSec Tweet Posted | BlockSec reports on the exploit happening. |
| May 29th, 2024 3:35:00 AM MDT | MetaDragon Tweet Announcement | MetaDragon posts a tweet announcing about the exploit for their community. |
| May 29th, 2024 4:11:00 AM MDT | Heavy Hearts Tweet | The team announces that they are doing an urgent review of the security in the smart contract. |
| May 29th, 2024 6:31:00 AM MDT | Compensation Form Released | MetaDragon releases a compensation form for the community to request reimbursement. The form requests the BSC address and number of META NFTs which the user held. |
| May 29th, 2024 6:40:00 AM MDT | Nick L Franklin Tweet | Nick L Franklin reports that a particular check to ensure ownership of the NFT was actually commented out in the source code by one of the developers. |
| May 30th, 2024 3:51:00 AM MDT | Update More Details | An update is provided with more details on teh scope of the attack, including that over 4,000 NFTs were taken. |
| June 1st, 2024 3:44:00 AM MDT | Compensation Reportedly Sent | The MetaDragon team reports that they have now compensated all users, and provide a contact form for anyone who believes they are still owed compensation. |
| June 3rd, 2024 3:06:00 AM MDT | Subsequent Tweet | MetaDragon shared a follow up tweet in which they announce 20x rewards to be issued, and that this upcoming season will be the last one before they cease operation and enter a technical maintenance phase. |
Technical Details
"Our system has detected a series of attack transactions targeting @MetaDragonDao's contract on #BSC, resulting in a loss of $180K. We have DMed the project but have not received a reply yet.
It appears the exploit cannot continue as the corresponding P404NFT tokens (0x336a) have been burnt. Please take action ASAP and avoid minting more of these tokens!"
"The attacker address is: 0xc468D9A3a5557BfF457586438c130E3AFbeC2ff9"
Total Amount Lost
"The attacker address is: 0xc468D9A3a5557BfF457586438c130E3AFbeC2ff9"
The total amount lost has been estimated at $181,000 USD.
Immediate Reactions
"According to the SlowMist security team, potential suspicious activity has been detected in the GameFi protocol MetaDragon, and users are advised to remain vigilant. MetaDragon stated that users need to convert their META NFTs into tokens as soon as possible to minimize community losses."
"It is with a heavy heart that we inform you of an unfortunate thing: our META NFTs have just suffered a hacker attack, resulting in the loss of all NFTs in our community. We are making every effort to take urgent measures and our current approach is as follows:
1. Conduct an urgent review of the security issues in the NFT contract and identify the hacking path. 2. Track the hacker and strive to recover the stolen funds. 3. Collect specific data on the affected wallet addresses.
We will maintain transparency and share the progress of this situation with the community. We deeply apologize to all community members for this hacking incident. We are shocked and saddened by this event, and we will handle it actively!"
"CAUTION: Please convert your META NFTs to tokens as soon as possible to reduce community losses!" "The META NFT contract has just been hacked. The hacker converted many NFTs in wallets to META tokens and sold them. The attack path originated from the META NFT."
Ultimate Outcome
"The recent hacking incident has brought about many issues, and we will actively communicate and address them!
Firstly, we would like to remind you that the NFT contract remains insecure. Please refrain from minting NFTs.
After preliminary assessment and communication, over 4000 NFTs were compromised in this hacking incident. After deducting portions allocated to the META fund and marketing, community members have incurred losses of approximately 2400 NFTs. Additionally, there have been losses incurred by some investors and liquidity providers, resulting in a significant overall impact.
Through communication, we have obtained understanding from some partners and major holders. In times of crisis, some members have expressed their willingness to postpone their claims, prioritizing the compensation of other members. We deeply appreciate this gesture!
Yesterday, META's price was approximately $0.012. We plan to compensate each NFT at a rate of "10,000 META + 0.15 BNB", resulting in a total compensation amount of approximately 24 million META + 360 BNB.
The compensation amount is relatively big, and it will take some time to raise the necessary funds. We will begin the compensation process gradually starting today.
If you have already filled out the registration form, we will verify and compensate accordingly, providing updates on the progress simultaneously."
"Recently, $META contract was hacked, and we deeply apologize for the inconvenience caused! We are very grateful for the understanding shown by some of our partners and major stakeholders! Note: Currently, the NFT contract still has security vulnerabilities. Please do not mint NFTs."
"In the face of this severe setback, we are actively communicating and handling the situation. The arrangements for the near future are as follows:
1. Second MWars season will start on June 4 and will last for 15 days. Season rewards and daily rewards will follow the arrangements of the first season. 2. After second season ends, MWars will cease operations and enter technical maintenance. 3. Top 200 players of the second season will receive an additional airdrop of $META, amounting to 20 times the season rewards.
In the future, the team will focus on building around ColletFi gameplay, seeking strong investors to collaborate and develop META and ColletFi.
We deeply appreciate your supports, and cooperation!"
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 12, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ @MetaDragonDao Twitter (Jun 14, 2024)
- ↑ MetaDragon Hacker Moves $192K in BNB to TornadoCash: Wake-up Call? (Jun 14, 2024)
- ↑ @0xNickLFranklin Twitter (Jun 14, 2024)
- ↑ @Phalcon_xyz Twitter (Jun 14, 2024)
- ↑ @CertiKAlert Twitter (Jun 14, 2024)
- ↑ MetaDragon (Jun 14, 2024)