Post-mortem Regarding the Recent Incident on the Marketplace Smart Contract

Dear Community,

We recently experienced an exploit on our marketplace smart contract. This is an unfortunate event, as we have always prioritized user safety and security. Here are the exact details of how it occurred:

Sep-02–2024 08:13:08 PM UTC: Our Deployer address approved the marketplace smart contract to spend its $NYA for testing purposes to ensure the marketplace was functioning as expected. (https://bscscan.com/tx/0x19e11ba10468a64c1054ac3ab04b3b2b84951f5d348a7221c224f797dbdb1fda)

Sep-06–2024 05:39:00 PM UTC: A team member from SEAL911 contacted us to warn about a vulnerability in our Marketplace smart contract that would allow an attacker to exploit users who had approved token/NFT spending on the marketplace smart contract.

Sep-06–2024 06:03:47 PM UTC: While we were investigating the issue, the hacker executed the attack. (https://bscscan.com/tx/0x77d9cf098bcc76e6b417628040a10038f8e83306ba6d1fa3e003a59bf14d24ba)

Sep-06–2024 06:09:53 PM UTC: Immediately after the exploit, the hacker sold a total of 1,313,936,686,296.7584 $NYA for 334 BNB, which is currently held at this address: (https://bscscan.com/address/0x4c7bd8393a629fffcf6c209dc3ec0e16f3f96d86)

Sep-06–2024 06:49:47 PM UTC: We applied a hotfix to remove the vulnerable code from our smart contract and contained the damage.

What exactly was wrong with the smart contract?

The contract underwent a comprehensive audit with Hacken to ensure its safety before deployment to mainnet (https://audits.hacken.io/catgirl/sca-catgirl-marketplace-may2023/). However, it appears they did not identify a critical vulnerability within the source code.

Our marketplace smart contract had been running for over a year without any problems, mainly because we hadn’t verified its source code on BSCscan. The new marketplace smart contract was verified immediately after deployment, thus exposing the bug to the public.

The issue lies within the atomicMatch function, which did not carefully check inputs, allowing the attacker to perform an arbitrary call that could drain the approved tokens of the victim.

What is the impact of this incident?

• Team-held tokens have been drained.
• The token amount we reserved to help users who forgot to unstake their LP before the migration date has been affected (this only applies to users who held the LP in their wallet; if you’re still holding tokens in the staking smart contract, you’re not affected as we transferred that amount to a different wallet).
• All users who hold $NYA tokens in their wallets are safe; no other wallets were exploited besides our deployer wallet.
• The hack is not directly related to the migration; we could have been exploited if we had verified our contract earlier.

What are we doing to prevent such incidents in the future?

• We recognize that we shouldn’t have performed a test on a critical wallet. As such, we’ve transferred all token-related smart contract permissions and LP to a multisig wallet to ensure maximum security, requiring at least 2/3 signatures before performing any transaction.
• Focusing on finishing the DAO as soon as possible. This will allow for complete decentralization of the token while still leaving room for expansion, customization, and adaptation to future upgrades.

We deeply sorry that this incident occurred and caused concern among the community. Although this incident resulted in a significant loss, it will not deter us from continuing on our path to realize our vision.

We extend our heartfelt thanks to everyone in our community who has stood by us and supported us through this difficult time. Your support is our greatest motivation to work even harder.

There is no success without failure, and we believe that this is a failure we must face to learn and grow from. Let’s unite to overcome this challenging time and elevate Nya to new heights.

Best regards,

The Nya Team