Update (July 22 2020): we've posted our plan for affected Shardholders.

Update 2 (July 23): this post has been updated with a summary of the actual vulnerability.

Update 3 (July 30): our auditor RStudios is wrapping up the audit with no major additional issues found and we have added a list of the affected assets below.

Update 4 (4th August):

Most NFTs have now been recovered from their contracts, as well as approx. 80 ETH belonging to liquidity providers for the affected pools.

In the coming 48 hours, these NFTs will be refractionalized, after which the new Shards will be sent out to all holders according to their balances in the snapshots.

The ETH recovered for liquidity providers will also be redistributed in this period.


Things not do:

  • Do not try to trade through Uniswap, it will fail and consume all your gas because transfers are paused.
  • Do not try to counterclaim, it will fail because of the mitigation that has been put in place.

Summary:

  • Around 9 PM EST on July 20th 2020 a potential vulnerability in the Buyouts portion of the NIFTEX smart contracts was reported by a diligent member of the community.
  • The team confirmed the vulnerability and immediately acted to mitigate.
  • All Sharded NFTs on the platform are safe and all transfers are paused.

The summary of the vulnerability is as follows:

  • Buyouts allow a stakeholder A to recover fractionalized NFT by making an offer for all fractions. The Ether corresponding to this initial offer is stored in the Buyout smart contract.
  • Buyouts can be counteracted by other stakeholders if the offer is deemed too low, known as a “counterclaim”.
  • If the counterclaim is successful, the smart contract automatically transfers stakeholder A’s Ether back, because their offer failed. This transfer is the source of the issue.
  • If stakeholder A is a contract, and does not have a payable fallback function, the transfer will fail, causing the entire counterclaim to fail.
  • This could be exploited by a malicious party to get an NFT for cheap, as all counterclaims would fail.

We decided that the best course of action would be to make use of the vulnerability to safeguard the NFTs.

  • All fractionalized NFTs are now undergoing a Buyout and will be released from their contracts to an account in our control in 2 weeks i.e. in the evening (EST) of the 3rd of August. The 2-week period is the default period for Buyouts.
  • All planned Launches and other platform activities are on hold.
  • Liquidity providers on Uniswap will have access on the 3rd of August once all Buyout periods have expired.
  • The NIFTEX smart contracts are verified and accessible on etherscan, example: https://etherscan.io/address/0xc29759225b24239afdb938e290c39bfe6803ff23#code

Further details and follow-up plans will be shared once we have fully coordinated with the reporter of the vulnerability. We are extremely thankful for their assistance.


Thank you for your understanding - we are available in Discord: discord.gg/uQKM5H4.

List of affected assets:

TOS VNM HAUT MBA STAY EGCS COIN WTFTR 1058 CVD $END BUGS BBDD CST ALMX LVS XNQ SFS ROSE PIX1 ZOMB 1-5 JHCS BUNZ CANDY EVADE ACID APS PIX2 BES AJM DED VAMP