What Caused and What Was the HEN Exploit?

Exploit?

As anyone who uses, or follows anything on Hic Et Nunc, the most popular NFT-platform on the Tezos blockchain, knows there has been a lot happening on Hic Et Nunc and recently collecting has been paused on the platform as well.
If you are not aware of what has happened there was recently an exploit discovered and later implemented that allowed for the stealing of multiple editions of objkts on the platform.
This is a summary of the events preceding, and during the events and what can and should be done by people using Hic Et Nunc. I am no expert on Smart Contracts, so I won't be able to go too deeply into how the exploit works on a technical level, but I'll try and explain things as clearly as I can!

The Leadup

The exploit in question didn't appear out of nowhere and there was a bit of a leadup to the events that occurred from the 26th onward. Here is a brief timeline of the events leading to the 26th.

• On the 10th of June the first report related to the bug and eventually the exploit was logged on the Hic Et Nunc GitHub.
  
  
• By the 13th the development team had identified that the issue lied within the swaps contract, and that in certain instances swaps were occurring without the ledger being updated. Meaning that swaps could occur without all of the swaps being indexed properly.
  
  
• By the 15th discussion within the HEN discord was more pronounced with HEN stating that they had knowledge of the bug, and that it was a potential exploit and would have it patched by that weekend.
  
  
• Between the 16th and the 26th focus was diverted towards other issues found that were causing issues within the website and so the expected patch on the 18th did not occur.
  
  
• On the 26th of June,the smart contract KT1F3SMqN7sEg9qxieW8JEsMwy9HhMkBs82B was created by this wallet which took advantage of the exploit discovered several weeks back. And began making swaps on HEN and sending them to the contract.
  
  

What Was the Exploit

The process for the attacker is fairly straightforward.
The attacker would first need to purchase an edition of an objkt. After purchasing one they would send it to the malicious contract which then creates additional copies to send back to the attacker for 0 tez. This allowed for them to purchase a piece with a high trading volume, create a large number of copies and then sell those. This would then leave all other people holding these pieces with negative objkts and in effect steal them out from under them.
This takes advantage of the previously discovered bug, which led to swaps occurring without the ledger updating. As such people with a 1/1 dont' need to be concerned since the exploit is taking advantage of an issue with the index decrementer for tracking multiple editions across the chain.
Additionally as a result this means that if there are no objkts being swapped of a multiple edition then the attacker can not go after those since it requires them to already hold a piece.

The exploit was only used on the Secondary Market, however the nature of it means that it would work just as well on the Primary Market. However since the attacker must purchase a piece it is really only applicable to the secondary market, and highly sought after pieces in order for it to be a profitable venture for the attacker.

As of writing this, seven objkts and seven artists were impacted by this exploit in total hhe pieces impacted can be seen here.

Response

In terms of what the team was able to do in the aftermath of the exploit being weaponized they were very limited.
Their reaction was to update the contract manager in order to deactivate all listings. This stopped people from being able to collect and as a result prevent the contract from continuously collecting pieces, however does not stop artists from minting pieces and selling them elsewhere.

Artists and collectors were also informed about the risks faced and informed people to not swap multiple editions of pieces in the meantime as those were the people at risk, albeit late. Along with this, tools in order to allow people to bulk unswap objkts were released. This allowed for people to easily make their objkts safe from being hit by the exploit.

The Hic Et Nunc team is now currently working on developing a new version of the smart contract in order to fix this issue. Due to the way the exploit is they will be unable to do fix it without switching to anew version of the contract. They are expecting to make a tool to allow people to bulk swap objkts on the new contract when the time comes so it should not be the worst to transition to the new contract.

Opinion Time

The nature of computing means there are always going to be bugs, and issues and exploits no matter what. One shouldn't be too harsh on Hic Et Nunc for the existence of this issue and the fact that it was major.

However there were lots of things that could have gone better and have been done better by them.
They were aware of the issue in full as early as the 13th of June and the gravity of bug was immediately apparent to them. Being able to swap pieces without the ledger updating is a critical flaw that attacks the core of NFT's being reliably trackable and of course 'Non-Fungible'.
The prevailing thought within the community circa June 15th-16th appears to have been that it was fairly minor and would be handled quickly.

A dramatic and early response would have required a similar amount of hassle as is being experience now, both by the artists and the developers. This is likely why they did not act as early as they should have. These dramatic actions, while cumbersome would have likely been less damaging then having the same amount of down time to fix the issue alongside a large hack occurring on their platform.
Finally the delay in getting a warning/banner up on the site immediately and a lack of communication from the team directly led to heavy reliance from the community on people who were not able to have full information of the events and led to even more uncertainty of what could and could not be done.

Communication issues being the root cause of most of these issues means that in the future Hic Et Nunc should strive for more transparency, and better practices around bug/exploit disclosures. In order to better protect their site, and the people who sell on it.

Next Steps

As of now there is not much to be done by artists on Hic Et Nunc if you are one.
If you haven't already you should unswap all of the objkts you have up for swap, so that you can swap them when the next version of the contract comes out.
Mass unswaps will need to occur for the next contract, and if you have yet to do so you can do it here.
One can also utilize the objkt.bid website in order to sell pieces in the meantime while Hic Et Nunc is implementing the new contract.

Additional Info/Reading

• here
  
  @NFTBiker has a writeup of the exploit that is quite good, and you can read it
• There is a google doc that is continuously updated as the story develops with a breakdown of everything that occurred each day here
  
  
• here@NFTBiker has a good twitter thread as well to read through

_{NFTHypeSquad banner design by CryptoPom}

All earnings from our blog will be used to raise a fund to support artists who want to start out on @nftshowroom!

But we want to reward our authors too, so 25% of this post's rewards go to Huasotech.

We gladly appreciate any support, donations or delegations :)

If you like, find us on Twitter and also follow our Twitter List to see what all our members are up to!

If you want to join the Squad, reach out to us, we're looking forward to getting to know you! <3