On January 15, 2025, the Idols NFT project suffered a significant security breach, resulting in the theft of approximately $324,000 in stETH. The attack targeted a vulnerability in the smart contract of the project, specifically a flaw in the _beforeTokenTransfer function. This vulnerability occurred when the sender and receiver addresses were the same, allowing the attacker to repeatedly claim rewards, draining funds from the contract. Despite the project having undergone audits in previous years, the exploit took place in a contract that might not have been thoroughly reviewed for such flaws.
The exploit was based on flawed logic in the reward-claiming process during NFT transfers. The _beforeTokenTransfer function, which is triggered during transfers of ERC721 tokens, failed to correctly handle reward claims when the sender and receiver were the same. This oversight allowed the attacker to claim stETH rewards multiple times through self-transfers, exploiting the system for their benefit. By resetting the claimedSnapshots value with each transaction, the attacker was able to trick the system into believing the rewards had not been claimed, enabling repeated exploitation.
The attack’s flow involved the attacker initiating a series of NFT transfers, where the sender and receiver were identical. In each iteration, the attacker claimed rewards, and the claimedSnapshots value was deleted or reset, which allowed them to claim rewards again in the next transaction. This series of self-transfers enabled the attacker to siphon stETH rewards repeatedly, accumulating a total of 97 stETH (around $324,000). The Idols NFT team has since identified suspicious transactions and is investigating the matter to determine the full impact and potential resolutions.
As a precautionary measure, the Idols NFT team has advised users to refrain from interacting with any contracts related to the project until further notice. The team is working to address the situation and ensure the security of the platform. They have also pledged to explore all available options to resolve the exploit and prevent future incidents of this nature. The breach highlights the importance of thoroughly auditing smart contracts and maintaining secure systems in the rapidly evolving world of NFTs and blockchain technology.
Reference: