Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Sandbox Public Burn

Step-by-step

  1. Find a player you don't like
  2. Call _burn with (enemyAddress, enemyAddress, id)
  3. You have destroyed your enemy NFT

Detailed Description

The Sandbox Land contract has a _burn method that destroys an NFT.

    function _burn(address from, address owner, uint256 id) public {
        require(from == owner, "not owner");
        _owners[id] = 2**160; // cannot mint it again
        _numNFTPerAddress[from]--;
        emit Transfer(from, address(0), id);
    }

The method apparently intends to authenticate the burn, but does so using parameters to the function instead of msg.sender. This leads to the attack being quite trivial: the attacker just sends from == owner.

Possible mitigations

  • Use msg.sender instead of the function parameter from

Diagrams and graphs

Entity and class diagram

PlantUML

Sources and references