Suspicious Code Detected in ETH Smart Contract Putting NFT Projects at Risk

According to the famous DeFi detective who goes by “Zahcxbt” on Twitter, 31 NFT projects may be at risk due to what he calls “suspicious code”. He posted a lengthy thread on Twitter and raised the issue of NFT project Thestarlab, which he alleges was compromised for 197.175 Ether (ETH), worth about US$580,325.

1/ Recently a NFT project was
compromised rugging the team of
197 ETH. Interestingly enough,
suspicious code lay within the
smart contract potentially putting
31 other NFT projects at risk. How
is this possible you ask? Well let’s
dive in. pic.twitter.com/NelTIkoNVm

— zachxbt (@zachxbt) March 8, 2022

Zachxbt quoted his fellow blockchain investigator “MouseDev” who came to the following conclusion after reviewing the code behind Thestarlab:

What this means is that the contract can never truly be renounced or transferred! Only an additional owner. The original deployer will always be considered the owner! You can also check the relinquish and transfer ownership functions to see they never overwrite _creator.

Advertisement

MouseDev

MouseDev supposes that when the developer of the project deployed the contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” MouseDev claims.

According to this information, Zachxbt claims to have uncovered 31 NFT projects that all contracted the same Fiver developer to launch the problematic smart contract. Zachxbt also remarked: “Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able to migrate contacts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”

Thank Goodness for DeFi Detectives

DeFi detectives have been many a project’s saviour. “Void-of-Silence” posted on Twitter: “Some old info I’ve posted along with some new info out today 💚 a readdressing of the situation would be awesome or a new post about it all 🔥”

Another fellow detective who goes by “Thats AOK” replied to MouseDev’s Tweet by saying: “RUG RUG RUG RUG RUG RUG RUG.”

Last month, an infamous “internet detective” who goes by “Coffeezilla” confronted YouTuber “Ice Poseidon” and got him to admit to stealing US$500,000 in a blatant crypto scam. Coffeezilla later in February managed to expose an NFT scam that would have cost its users US$20 million, had it actually come to pass.