Loophole Spotted in NBA Association Non-Fungible Tokens as Attacker Exploits Code To Mint 100 NFTs

The attacker exploited the loophole and minted 100 Association NFTs.

Less than 24 hours after the National Basketball Association (NBA) announced the minting of its Ethereum-based non-fungible token (NFT), a major loophole has been discovered in the Association digital collectible’s contract. 

What Happened

According to BlockSec, a firm that conducts smart contract audits for digital currencies, the Association NFT has a loophole that allows a non-whitelisted user to mint the digital collectible by copying the signature of investors given early access to the assets. 

BlockSec noted that the NBA Association NFT did not confirm the consistencies of the whitelisted signatures and the senders’ address, a glitch that grants unauthorized users access to mint the non-fungible tokens at its early launch. 

“The AssociationNFT contract has a vulnerability. The verify function does not: 

1) have a nonce so that it can only be used only once

2) bind the msg sender with the signer,” BlockSec tweeted earlier today. 

The #AssociationNFT contract has a vulnerability. The verify function does not
1) have a nonce so that it can be used only once
2) bind the msg sender with the signer@NBAxNFT
@defiprime pic.twitter.com/NsCsBFo2Yo

— BlockSec (@BlockSecTeam) April 21, 2022

Following the major security loophole by the Association NFT developers, an attacker has taken advantage of the error to mint 100 units of the digital collectible. 

Moments after the attacker minted the Association NFTs, the user proceeded to sell them on the popular non-fungible token marketplace OpenSea. 

The attack transaction took place hours after NBA flagged off the minting event of its NFTs, and the user paid a fee of 2.72 ETH worth around $8,421 at the time of writing. 

It is worth noting that the recent development is one of the reasons security developers are advised to conduct adequate security audits of their projects’ contracts to unravel all loopholes and avoid unfortunate incidents. 

The NBA gave their response:

“We recognize the issues with the smart contract which caused the Allow List supply to sell out prematurely. We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result.”

We recognize the issues with the smart contract which caused the Allow List supply to sell out prematurely. We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result.

— NBAxNFT (@NBAxNFT) April 20, 2022

NBA Launches Association NFTs

Meanwhile, the NBA team flagged off the minting exercise of its Association NFT, giving whitelisted users the opportunity to mint parts of the 18,000 assets. 

According to the basketball association, a unit of the NFT represents a real NBA player featured in this season’s playoffs. 

As noted on the Association website, NBA fans will not pay much in acquiring the NFT, as minting will be free. However, users will have to pay for gas costs, which could soar as high as 1 ETH ($3,077).