DeFi detective alleges this ‘suspicious’ smart contract code may put dozens of projects at risk
According to famed decentralized finance, or DeFi, detective zachxbt, 31 nonfungible-tokens, or NFTs, projects may be at risk due to “suspicious code.” In a lengthy Twitter thread published Tuesday, the DeFi detective first raised the issue of NFTs project Thestarlab — which was allegedly compromised for 197.175 Ether (ETH), worth $580,325 USD at time of publication. Zachxbt quoted fellow blockchain investigator _MouseDev, who came to the following conclusion after reviewing the code behind Thestarlab:
“The smart contract [for this project] can never truly be renounced or transferred—only an additional owner. The original deployer will always be considered the owner. This means if they still have the private key of the deployer, they can pull the money, even though the owner is the null address.”
_MouseDev claimed that when the projects’ developers deployed their contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” says _MouseDev.
Based on this information, zachxbt claimed to have uncovered 31 NFTs projects that all contracted the same Fiverr developer to deploy the allegedly problematic smart contract. Additionally, the DeFi detective had the following remarks:
“Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able migrate contracts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”
1/ Recently a NFT project wascompromised rugging the team of197 ETH. Interestingly enough,suspicious code lay within thesmart contract potentially putting31 other NFT projects at risk. Howis this possible you ask? Well let’sdive in. pic.twitter.com/NelTIkoNVm
— zachxbt (@zachxbt) March 8, 2022