Security firm, BlockSec detected a loophole in the ‘Association NFT’ collection by the NBA, which triggers the ‘Allow list’ to sell out permanently. This vulnerability could’ve allowed any malicious entity to mint several NFTs without paying any tokens.
The ‘Association NFT’ collection was announced a few days ago by the NBA in partnership with NBPA. The collection’s mint date was today, however, minting has been paused after a major loophole was detected in the smart contracts.
BlockSec says the major cause of this problem is incorrect signature verification. That is the contract fails to ensure that the signature can only be used by the ‘user (and only the user) once’. The attacker can reuse a privileged user’s signature and mint token’s for themselves.
BlockSec says that they are amazed by “how such a vulnerability can exist in a popular NFT project”.
The NBA was quick to recognize the problem and took to Twitter to apologize and lay out a further plan. The league thanked everyone for their patience and apologized for their mistakes which led to this mishap.
They said that they were identifying the wallets on the Allow List that were not able to mint an NFT. Those wallets will be eligible for NFT airdrop from the Association collection.
To do this, the league has announced that it is almost doubling its collection from 18,000 NFTs to 30,000 NFTs. Each player previously had 75 editions, but will now have 125 editions.
They further wrote on twitter that they will keep updating people about the airdrop and will post those updates on twitter and their discord channel.
The Association Collection is a collection of dynamic NFTs, whose traits will change over the course of the playoffs. Each of 240 player’s NFTs will be released. Only people on the ‘Allow List’ could get NFTs from this collection.
The mint date was April 22. However, it seems now, that it will be quite some time before all the fans are able to get their NFTs and mint them.
