Re -creation attack in ERC -1155 -Ackee Blockchain

Find out how an attacker can use the re-creation vulnerabilities in the ERC-1155 implementation to discharge the Vault Agreement. This practical example shows a real attack scenario.

Understanding vulnerable contracts

We will review the simplified safe agreement that shows the re -creation vulnerability. The method of working is as follows.

• The user creates an etk through the THE create function
• This NFT can be freely transmitted between users.
• User payEth function
• Then NFT holders can do it. withdraw Eth by burning NFT

Below is a vulnerable safe agreement.

Vulnerability exploits

The vulnerability mint External call of function IERC1155Receiver(to).onERC1155Received(). This call occurs before the update fnftsCreated Create a counter and re -creation opportunity.

Attack vector

The attacker uses two main contract functions.

• that id_to_required_eth(nft_id) Mapping controls the amount of ETH.
• that nft_price(nft_id) Set the price per individual NFT

Attack stage

1. Telephone create big nftAmount But it’s small value
2. Ree center with small things in Mint Callback nftAmount But big value
3. This is set high nft_price(nft_id) For all NFT
4. withdraw the reception. total_nfts * high_price ETH

Detailed attack flow

Let’s classify the attack stage step by step.

1. Early creation
   • Attacker create(1000, 1 wei)
   • Vault Mints 1000 nfts ID = k (getNextId()))
2. Re -creation attack
   • during onERC1155Received() Callback:
   • Attacker create(1, 1 ether)
   • same nft_id (k) Is used (not updated in the counter)
   • set nft_price(k) = 1 ether
3. Profit extraction
   • The attacker is unlocked with 1 eth
   • Withdraw all 1001 NFT
   • 1001 ETH (1001 NFTS * 1 ETH price) received

Attacker

Concept proof

Below is a complete attack using Wake Testing Framework.

If you run this exploitation, the safe will be successfully drained.

Prevention of attack

Two main approaches can prevent these vulnerabilities.

1. Inspection effect interaction pattern
   • Update the status variable before making an external call
   • This is a recommended approach.
2. Re -creation guard
   • Use ReENTRANCYGUARD of Openzeppelin
   • Add a modifier to prevent re -entry call

The fixing implementation is as follows.

Main takeout

• The external currency of the ERC standard can create an unexpected recreational vector.
• The main variable shared over the contract requires careful handling.
• Always update your condition before external currency
• Consider using REENTRANTRANTRANCY Guards as an additional safety measure

Additional reading

Navigate the ReEntrancy example repository for more attack vectors.