On January 28, 2022, The Sandbox publicly announced the migration of LAND smart contracts due to a discovered vulnerability. However, the statement did not specify the details of the vulnerability. The SlowMist’s security team investigated the vulnerability and will now share our brief analysis with the public to prevent future attacks.
The Sandbox is a virtual gaming world where players can build, own, and monetize their gaming experiences on the Ethereum blockchain using the native token SAND.
1.Let’s start by looking at the contract in question: 0x50f5474724e0Ee42D9a4e711ccFB275809Fd6d4a.
In the past, the _burn function that was set to be called was set in a public state.
Even though there is a require(from == owner, “not owner”); in the function, the from in the function can still be constructed by any caller. This could results in anyone burning other players NFTs at will.
2.We queried the transaction records on chain and discovered that someone had already performed the _burn test. They had successfully burned a piece of NFT that did not belong to them, but no large-scale attacks were found. This could have been a white hat test.
3.From the above picture we can see that the burned tokenID is 3738 , but the NFT tokenURI (https://api.sandbox.game/lands/3738/metadata.json) can still be accessed.
The NFT information of the land can still be accessed (https://www.sandbox.game/en/lands/9045d0ed-2fdd-4bd1-b606-28527b4eb39c/) , we can speculate that the Sandbox team could have made these changes.
4.Now let’s take a look at the upgraded contract: 0x5CC5B05a8A13E3fBDB0BB9FcCd98D38e50F90c38
The team has switch to a proxy contract after this update (Could be to facilitate secondary upgrades to the contract if a problem occurs in the future).
The LAND token contract address: 0x1fc6479bdc7511c6803aff2f477e0fd3171606e0 is found to have the _burn function modified to internal.
5.This is our brief analysis of the vulnerability that caused The Sandbox Land migration. We also discovered after our query that some NFT owners have not yet migrated to this new contract, and we strongly advise them to do so. They can use the link below from the Sandbox team with the migration. https://www.sandbox.game/en/
The Sandbox team confirmed the vulnerability could have caused severe losses for their user. Still, they were able to propose a solution promptly. However, the details of this vulnerability are still terrifying. An attacker could have used this exploit to burn a significant amount of land in the Sandbox.
Based on this vulnerability, we can conclude that when it comes to securing the Metaverse, you can never be too safe. The SlowMist security team suggests that projects broaden their security perimeters and conduct routine security audits before and after launch to prevent future attacks.