My Smart Contract Bot Encounter

Introduction

I was on cloud 9….. I had deployed and verified yet another 721A NFT contract for a freelance gig.

We had built a full stack web application for the mint, launch was fully planned and the contract was tested…. everything seemed to be going oh so smoothly that was until technological disaster struck one minute into launch when a bot minted out the entire collection pre reveal !

Panic, anxiety, fear and backtracking through code furiously to find the attack vector that was used to exploit the contract I was a mess until I seen how easy this can happen, I then started to research how to prevent smart contract attacks as a whole.

Through my auditing journey as documented here I was able to see what happened once I had those analysis tools set up to begin vulnerability scanning the contract.

Lesson 1

Due to over reliance on shared modifiers I had managed to extract core logic into reusable pass throughs for mint validation this is perfectly handy in most use cases but in ours it lead to a problem.

Since there was a check for max balance of the sender in the modifier rather than the functions main body it was actually being executed before the validation checks of the mint function had run.

Takeaway 1

Keep modifiers light on logic only use for reverting or error handling for simple use cases this can lead to messy race conditions opening up for re-entrancy and gas attacks if not.

Lesson 2

Logic needs to be tested on max and min amounts before signing off (even if the client is pushing you for a date out of the blue) because if you don’t you will be held responsible.

Takeaway 2

Just like a good chef wont send out a bad plate we as smart contract devs must refuse to release contracts before fully testing even if this results in client pushback, safety first always !

Lesson 3

Run automated tests to avoid any edge case exploits.

Takeaway 3

Use automated testing tools in hardhat or any other environment to ensure contracts are solid, audited and verified before hitting mainnet.

Conclusion

Carefully think about logic and abstraction before applying a SOLID methodology fully to your smart contract some things are procedural and need to execute synchronously.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store