Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In the smart contract code, there is a function that takes in several address for storing an NFT. This includes the deployer (owner) and the beneficiary.

When it does the saving, there is no validation that the address of the beneficiary is 0x0. This is rated as a high finding because of the major loss of funds that could occur. This is especially bad since there is no way to change the storage, even as an administrator, to fix this mistake. Should they ALWAYS check that the location being sent to is valid? Hmmm. To me, in the context of this contract, setting beneficiary to the wrong address (not just 0x0), would be bad. I don't understand why only 0x0 is called out.

0x0 address is very special. It is the ERC20/ERC721 specification that the burn function is used to destroy and the mint is used to transfer from the zero address. In this case, they are entirely separate. However, it is not uncommon to see this code shared between other functions. So, with the shared code path and a 0x0 address, this could lead to a burned NFT by accident. Yikes!

Overall, simple issue with weird impact. Thanks to bytes032 for all of the fun Solidity challenges lately.