Miner ERC-X avatar collection Suffers $466,000 Loss

Summary

On February 14, 2024, the Miner ERC-X avatar collection experienced a critical security breach on the Ethereum Mainnet, resulting in the unauthorized withdrawal of 168.8 ETH, equivalent to approximately $466,000. The root cause of this breach was a smart contract vulnerability stemming from insufficient input validation, specifically, a double-transfer flaw. This issue enabled an attacker to exploit the contract’s transfer function, effectively duplicating their token balance by executing self-transfers, which were not properly restricted by the contract’s logic.

Attackers

The identity of the attacker is unknown. The following addresses are associated with this attack:

• 0xea75aec151f968b8de3789ca201a2a3a7faeefba
• 0xc181de2f3b0976c266fd5d5d58e101e365f34a70

Losses

The loss amounted to 168.8 ETH, worth $466,000 at the time of the attack.

Timeline

• February 14, 2024, 01:48 PM UTC: An attack transaction occurred.
• February 14, 2024, 03:04 PM UTC: Miner Team sent an on-chain message to the attacker to negotiate the return of the stolen.
• February 14, 2024, 02:29 PM UTC: Miner Team reported about exploit.
• February 14, 2024, 03:39 PM UTC: The Miner token price fell by 82%.
• February 18, 2024, 04:22 PM UTC: The team announced a relaunching.

Security Failure Causes

• Smart Contract Vulnerability: The core issue stemmed from a double-transfer vulnerability within Miner’s smart contract, specifically due to insufficient input validation mechanisms.