DeHacker Security
Published in

DeHacker Security

What Can We Learn From Premint Hack Event?

On July 17, the popular NFT registration platform Premint suffered from a hack that resulted in the fact that 314 NFTs, which included NFTs from notable projects like Bored Ape, Goblintown, and Otherside, with a total value of $370,000 have been stolen.

Premint confirmed the hack and said that only a “relatively small number of users” had been affected, adding that Etherscan had identified four wallets associated with the attack.

How Attack Happened?

The attacker deployed malicious js code on the project’s official website https://premint.xyz, which will load https://s3-redwood-labs.premint.xyz/theme/js/boomerang.min.js on the attacker’s server document.

Once the user visits the website and connects to the wallet, the attacker will induce him to approve the setApprovalForAll transaction, so that the attacker can obtain the ownership of all NFTs in the user’s wallet and sell its pending order on the OpenSea exchange.

What is PREMINT?

PREMINT is used by the top NFT artists in the world to build access lists and to randomly select the collectors and community members to win a spot. 800,000 collectors have joined lists without spending any gas.

Suggestion

In response to this hacking incident, our team suggested:

1. When the wallet is found to be stolen, the user should go to revoke.cash to cancel the authorization in time.

2. Users need to avoid excessive authorization to ensure property safety.

About DeHacker

DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.

Website | Twitter | Blog | Telegram |

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store