Deep Dive into High-Profile Crypto Exploits — Part II: NBA’s The Association

Background

  • ecrecover() — a Solidity function that allows smart contracts to validate that a message is properly signed by a specific address. The signature is computed off-chain and can be shared by the user as a “proof” for the smart contract that it was signed by an expected party.
    It is mainly used to log in to websites (like Opensea) or whitelist addresses in a presale without triggering a blockchain transaction.
    You can read more about it here.

The Attack — A High-level overview

function verify(vData memory info) public view returns (bool) {
require(info.from != address(0), "INVALID_SIGNER");
bytes memory cat =
abi.encode(
info.from,
info.start,
info.end,
info.eth_price,
info.dust_price,
info.max_mint,
info.mint_free
);
// console.log("data-->");
// console.logBytes(cat);
bytes32 hash = keccak256(cat);
// console.log("hash ->");
// console.logBytes32(hash);
require(info.signature.length == 65, "Invalid signature length");
bytes32 sigR;
bytes32 sigS;
uint8 sigV;
bytes memory signature = info.signature;
// ecrecover takes the signature parameters, and the only way to get them
// currently is to use assembly.
assembly {
sigR := mload(add(signature, 0x20))
sigS := mload(add(signature, 0x40))
sigV := byte(0, mload(add(signature, 0x60)))
}
bytes32 data =
keccak256(
abi.encodePacked("\x19Ethereum Signed Message:\n32", hash)
);
address recovered = ecrecover(data, sigV, sigR, sigS);
return signer == recovered;
}
require(msg.sender == info.from, "The sender is not in the whitelist");

Prevention

Summary

About Solid Group

  • audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
  • sniper bot protection tool
  • Smart contract auditing service

--

--

--

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How DNS Works: Domain Hierarchy, Record Types, Common attacks, and more…

{UPDATE} AR Egg Hunt Hack Free Resources Generator

{UPDATE} Smart Words VIP Hack Free Resources Generator

Is this the Future of the Internet?

New update from Metamask will bring more security to its users.

A ‘How To’ guide to Buying Moonboy Token

Myths Of IoT Software Development

{UPDATE} Mega Jackpot Slots 777 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Solidgroup

Solidgroup

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.

More from Medium

Kana integration with Jupiter Aggregator

Uno Re Welcomes Wall Street Games to its Partner Ecosystem

ChampagneSwap Roadmap revealed

AMA RECAP WITH POLKER : Host : MAHIASH0 GUEST: Tanya_Lume Venue: Crypto Vault https://t.me/Crypto_va