SlowMist
SlowMist|5月 29, 2026 03:44
🚨SlowMist TI Alert🚨 💸 Loss: 85,519.47 USDT 🔍 Root Cause: The `cliamRewred` function in `LegendaryMoneyMonNft` allows arbitrary reward claiming. The only authorization depends on `verify()` which checks `recoverSigner(...) == admin`. `recoverSigner` does not validate `ecrecover` returning `address(0)`, and `changeadmin()` allows setting admin to zero address. The attacker used an invalid signature (r=0, s=0, v=27) which returns `address(0)` from `ecrecover`, passing the check because `admin` was zero address at that moment. 📌 Attacker: 0xe1582248c593df4b367e131922438fec9d76e787 📌 Victim Contract: 0x92d60629ff5d53a0098b51e9b1d59546d1d8e5b6 📌 Vulnerable Contract: 0x92d60629ff5d53a0098b51e9b1d59546d1d8e5b6 The attacker exploited the zero-address signature bypass to drain all tokens from the contract and swapped them for USDT via PancakeSwap. Powered by #SlowMist.AI(SlowMist)
+3
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads