BTNFT Incident - Improper Validation Check Leads to Unauthorized Reward Claim
On April 18, 2025, the BTNFT protocol was exploited, resulting in a loss of approximately $19K.
BTNFT is an NFT contract with built-in BTT token vesting and reward distribution that combines NFT sales with a time-based token release mechanism.
Overview
Attacker:
https://bscscan.com/address/0x7a4d144307d2dfa2885887368e4cd4678db3c27a
Vulnerable Contract:
https://bscscan.com/address/0x0fc91b6fea2e7a827a8c99c91101ed36c638521b
Attack Transaction:
https://bscscan.com/tx/0x1e90cbff665c43f91d66a56b4aa9ba647486a5311bb0b4381de4d653a9d8237d
Exploit Analysis
Looking at the attack transaction, we can see that the attacker is calling the transferFrom function repeatedly, trying to transfer NFTs with IDs ranging from 1 to 500 to the BTNFT contract itself. From the emitted BTT.Transfer and BTNFT.TokensClaimed events, we can determine that the attacker is collecting BTT tokens from the BTNFT contract.
To understand why the attacker was able to do this, let's take a look at the implementation of the transferFrom function in the BTNFT contract. We can see that it calls the _update function to transfer the NFTs to the new owner.
Looking at the implementation of the _update function, when the receiver is the BTNFT contract itself, it calls the claimReward function to transfer BTT tokens to the caller without any checks. This is a clear security vulnerability that allows anyone to transfer BTNFTs to the BTNFT contract itself and claim BTT rewards without actually owning any BTNFTs.
Conclusion
This exploit demonstrates how a simple logic bug in authorization can lead to significant financial losses. The contract's _update function failed to verify if the caller had legitimate rights to claim rewards when NFTs were transferred to the contract itself. This oversight allowed anyone to claim BTT tokens without actually owning any NFTs, resulting in a $19K loss. The incident highlights the critical importance of implementing proper authorization checks and input validation in smart contracts, especially when handling contract self-interactions and reward distributions.