“TLDR: Even if the owner is the null address, they can still withdraw money,” writes zachxbt.
zachxbt, a well-known DeFi detective, claims that 31 NFT projects may be at risk because of “strange code.” According to a lengthy Twitter thread sent by the DeFi investigator on Tuesday, NFTs project Thestarlab was compromised for 197.175 Ether (ETH), valued $580,325 at the time of publication. According to _MouseDev, a fellow blockchain researcher who reviewed Thestarlab’s source code, the following conclusion was drawn:
“The smart contract [for this project] can never truly be renounced or transferred—only an additional owner. The original deployer will always be considered the owner. This means if they still have the private key of the deployer, they can pull the money, even though the owner is the null address.”
Two variables were claimed to be stored as the owner by _MouseDev when the contracts were deployed by the projects’ developers. One of them was altered to a null address “to appear as though they gave up but preserved another unchanged variable,” _MouseDev explains.
After discovering 31 NFT projects using this data, zachxbt claimed to have discovered that the same Fiverr developer was responsible for the deployment of a faulty smart contract in each of them. The DeFi detective also made the following observations:
“Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able migrate contracts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”
1/ Recently a NFT project was
compromised rugging the team of
197 ETH. Interestingly enough,
suspicious code lay within the
smart contract potentially putting
31 other NFT projects at risk. How
is this possible you ask? Well let's
dive in. pic.twitter.com/NelTIkoNVm
— zachxbt (@zachxbt) March 8, 2022
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.