Ethereum, Avax, Fantom, Polygon
Lack of input validation, reentrancy
Revest Finance proposes a new protocol for the packaging, transfer, and storage of fungible ERC-20 tokens as non-fungible tokenized financial instruments, leveraging the ERC-1155 Non-Fungible Token (NFT) standard for ease of access and universality of commerce. Using this product, ownership of underlying assets may be traded in ways that do not affect the value of the underlying asset, leading to a new meta-layer of commerce.
The Revest Protocol suffered an exploit in which roughly $2M worth of tokens (namely BLOCKS, ECO, and RENA) were stolen from our Ethereum-based token vault. In the targeted Revest contract, when a user calls the mintAddressLock function to deposit a certain amount of ERC-20 tokens into the Revest Smart Vault, an FNFT will be created. This NFT represents the number of token assets owned by the user, and the withdrawFNFT function can be called to redeem the tokens in the future.
The root cause of the attack is that when the attacker uses the ER1155 standard to cast an NFT, the onERC1155Received function of the recipient’s address will be called. The attacker uses this point to call back the depositAdditionalToFNFT function in the Revest contract. This function will mint a new NFT, and then it will call the tokenVault contract’s handleMultipleDeposits function to record the new NFT information. However, the handleMultipleDeposits function has no way to verify whether the newly minted NFT exists. Therefore, the attacker used a reentrancy attack to modify the information of the NFT that had been minted. Since the process of creating NFT tokens for ERC20 assets was prior to the attack, the user has now successfully created NFTs representing their 360001 ERC20 tokens without having to deposit ERC20 tokens.
Stolen funds were funnel through Tornado Cash.
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.