Nutbox contract issue report

Today, there was a potential admin key leakage incident from the Nutbox staking platform, a partnering platform that supports Mint Club staking pool. Nutbox’s contract has passed the audit by Certik. The exact reason is under investigation. Please continue to pay attention to the follow-up updates.

Please see the summarised report below.

  • Someone executed the `adminExecuteProposal` function to withdraw tokens from the MINT/WBNB LP staking pool and MINT/MINTDAO/GRANT single staking pools on Nutbox.

  • The hacker withdrew a total of 101,000,000,000 MINT, 158,000 MINTDAO, 118,000 GRANT and 1,025,538 Cake-LP tokens (MINT/WBNB pool).

  • We expect the reason behind this case to be related to the admin key leakage from the Nutbox platform (the partnering company).

Below is the hacker’s wallet address that has permission to the adminExecuteProposal contract call https://bscscan.com/token/0x1f3af095cda17d63cad238358837321e95fc5915?a=0x47c52dcd40e9dfd1dec1b7eea5817c7cbe379829

The below transactions show that the hacker swapped from MINT/MINTDAO/GRANT to MINT and sold the MINT and the Cake-LP tokens via the PancakeSwap

https://bscscan.com/address/0x47c52dcd40e9dfd1dec1b7eea5817c7cbe379829#tokentxns

Possible reason behind this case

Before our team decided to partner with Nutbox, we have finished all the necessary procedures from checking their smart contract code to reviewing the audit report provided by CERTIK (https://cdn.wherein.mobi/nutbox/v2/docs/REP-Nutbox-Walnut-Network-2021-10-29.pdf). 

After scrutinizing the report, we didn’t notice any serious bugs or vulnerable parts. The only potential issue was the `DEFAULT_ADMIN_ROLE`, which is a common function used in many renowned DeFi protocols in order to upgrade their contract or pause the contract operation in case of an emergency situation. 

However, the hacker wrongfully utilized the admin permission to withdraw all the tokens from the contract wallet. We figured out that this is NOT a direct hacking attack on the smart contract. It’s more likely that it’s related to the admin key issue mentioned above. Overall, this incident sparked from two potential cases:

  1. The admin key may be leaked.

  2. An internal person may have stealthily performed this crime.

Damage

In total, the hacker withdrew a total of 101,000,000,000 MINT, 158,000 MINTDAO, 118,000 GRANT and 1,025,538 Cake-LP tokens (MINT/WBNB pool) from the Nutbox contract. These tokens are from the Mint Club users, including the team’s staking supply. This incident left both financial and non-financial damage on not only the individual users, but also the team and the project.

Discussion to encounter the issue

We have requested the Nutbox team to figure out the exact reason behind this major leakage, and gather up all the possible evidence to report to the government authority. This incident originates from someone who has access to the Nutbox contract admin key, so there are not many ways for the Mint Club team to investigate the criminal behind this case; however, we are making our best effort to assist the Nutbox team pin-point the origin.

Next up

Even though the project was under attack twice in a row (one of the whale MINT holder’s wallet hacked case) and this Nutbox contract leakage case), we won’t be defeated by these criminals from building up the Mint Club platform. We will find solutions to leverage this issue and grow to achieve the long-term goal of building a place where anyone with an idea can run a token project without any complications.

We're currently in discussion with the Nutbox team, and the follow-up measures will be announced as soon as possible.