One of the largest non-fungible token hacks in history, Premint NFT is attributing the platform’s involvement in the theft of almost $500,000 worth of blockchain assets on an open source vulnerability. On Sunday, 321 blockchain entries worth roughly $500,000 were stolen from 28 wallets belonging to Premint users by hackers, Premint creator Brenden Mulligan admitted in a live session on Wednesday. Users of the website can sign up to be included to a database of prospective buyers of new NFT projects.
According to crypto security company CertiK, the incident—which impacted wallets storing NFTs like Bored Ape Yacht Club and Oddities—started with the injection of malicious JavaScript (see: Hackers Steal $421K From Premint NFT Platform). Attackers created a dialogue box requesting users to confirm their ownership of their wallets using the injection. Users who did this noticed that their wallets were empty of money.
Premint claims in a blog post that it employs an open source program that enables users to upload the photographs into an Amazon S3 bucket. According to Premint, the program included a flaw that made it possible for an attacker to bypass previously set upload restrictions. By altering the site’s JavaScript file, the bug allowed attackers to bypass limitations on which folders they could upload data to and set up the attack.
The criminals used the new domain to deploy a “full payload of malicious JavaScript” at midnight on the same day. Premint claims that the new code altered certain portions of the login and project pages to give the impression that Premint was asking complete access to the victims’ wallets. According to Premint last Sunday, users who clicked on the window requesting them to confirm wallet ownership also agreed to a “SetApprovalForAll” setting in their wallet.
SetApprovalForAll is made to enable users of decentralised finance platforms to instantly consent to the transfer of particular tokens that have been pre-selected by an underlying smart contract at a later time. Threat actors take advantage of the feature to move all of the tokens belonging to other users to their own wallets (see: $8M of Crypto Stolen via Phishing From Uniswap Liquidity Pool).
According to the NFT corporation, the attackers were unable to access Premint’s web or database servers. “This is a good reminder of the scale of damage an attacker can level against a website from access to client side JavaScript, especially in the realm of web3. Full stack security has never been more important,” it says.
