NFT Vietnamese game Wanaka Farm was hacked for $1 million because of an API backend bug
Some users are sharing the farm game NFT Wanaka Farm that after alpha testing, beta testing the game, the game is experiencing a lot of errors and errors related to deposit/withdraw.
Hacker stole nearly $1 million by abusing an API backend bug in the NFT game Wanaka Farm
Wanaka Farm is a farm game with many user expectations. However, during alpha and beta testing, users have reported many in-game critical bugs related to withdrawing and depositing crypto. Below is an analysis done by Verichains Lab and BShield, a security startup for mobile systems’ apps, about an attack targeting Wanaka Farm that allowed the hacker to steal over a million USD.
It was officially released on 29th October 2021. The release happened just after bug reports about withdrawing/depositing funds came in, which led to a maintenance announcement. After two days, they announced that the bug was fixed.
The hacker abused the delay while transactions were being confirmed in the blockchain to perform a replay attack on the backend API. Those actions led to the backend API calling smart contract multiple times. The attacker had used this bug to steal more than $500,000 in just a few hours.
Then the developers announced an extended maintenance that lasted for weeks but kept the marketplace open.
However, on 11th November, the hacker abused the same bug again to pocket over $400,000. After we inspected the transaction, we found out that they created 500 addresses (to retrieve funds) to exploit that bug.
- The hacker have created 500 crypto retrieving addresses and distributed 1.188 BNB equally on all of those addresses, and each would get about 0.02 BNB. Then, they sent WANA tokens to one of the addresses (can be any).
- On that same address, they deposited WANA into contract 0x164664fcf89f3b722bcba6f02f2c9e3b9081c2a1. After doing that, they withdrew 5-7 times. The token amount then experienced a boom that increased the amount by 5-7 times, although the hacker only deposited once.
- Send the original token amount to another retrieving address, and send the amount collected through the deposit bug to the main wallet.
- Repeat Step 2.
This is not a smart contract error, but a backend API error. The attacker had performed many replay attacks on the API endpoint to claim deposited tokens multiple times.
After being attacked, the developers closed the marketplace for maintenance, and access to the backend API closed. In the end, the attacker sent all tokens to wallet 0x1f7234eabcb85242f15e3fd8962b70a4caf92b4c and sold a huge portion of them for $310K. Currently, the hacker’s wallet is still holding more than 112000 WANA tokens. The average price of each WANA token is $2, so those tokens are equivalent to $240K.
This problem is caused by a delay in the withdrawal process when the transaction has not been confirmed. The attacker quickly sends a withdrawal request, then the backend checks the wallet balance and returns it to availability, resulting in the withdrawal function being called from the smart contract and generating multiple withdrawal requests. money. Once the first withdrawal was complete, the backend no longer allowed withdrawals, but the attacker got back 5-7 times the amount of tokens. This was a huge mistake in development, with APIs reliant on smart contracts to execute transactions.
The security of a product that uses blockchain and crypto tokens like an NFT game depends not only on the smart contract, but also the application itself, backend APIs, development workflows, and other service systems.
Sign up for a Binance account here (Discount 10% trading fees): https://accounts.binance.com/en/register?ref=29171587
- Investment Loss, Fraudsters Set Up A Scheme To Steal 168 BTC, Plan To Kidnap For Another 1,000 BTC
- Cryptocurrency Protocol Tsuzuki Inu Has Done The Same Thing As SQUID Again