A DeFi detective claims this “strange” smart contract code might put dozens of projects at danger

“TLDR: Even if the owner is the null address, they can still withdraw money,” writes zachxbt.

zachxbt, a well-known DeFi detective, claims that 31 NFT projects may be at risk because of “strange code.” According to a lengthy Twitter thread sent by the DeFi investigator on Tuesday, NFTs project Thestarlab was compromised for 197.175 Ether (ETH), valued $580,325 at the time of publication. According to _MouseDev, a fellow blockchain researcher who reviewed Thestarlab’s source code, the following conclusion was drawn:

“The smart contract [for this project] can never truly be renounced or transferred—only an additional owner. The original deployer will always be considered the owner. This means if they still have the private key of the deployer, they can pull the money, even though the owner is the null address.”

Two variables were claimed to be stored as the owner by _MouseDev when the contracts were deployed by the projects’ developers. One of them was altered to a null address “to appear as though they gave up but preserved another unchanged variable,” _MouseDev explains.

After discovering 31 NFT projects using this data, zachxbt claimed to have discovered that the same Fiverr developer was responsible for the deployment of a faulty smart contract in each of them. The DeFi detective also made the following observations:

“Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able migrate contracts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”

Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.

Leave a Comment

Your email address will not be published.

Facebook
Twitter
Telegram

Recent Posts

Follow Us