An Open Letter to the Community: About the LuckyChicks

Dear community.

Thank you all for your support in making LoserChick one of the hottest blockchain games of the moment. In just a few days, the NFT minting has reached 122,856 times, and what a crazy number it is!

Together with the popularity, we’ve also got a special guest. On July 30, 2021, a hacker conducted a test attack on the LoserChick NFT minting contract. On August 1 at 9:00 (UTC), after recieved many DMs from the community members, we began to notice the vulnerabilities in the NFT minting contract. We located the problem at once. After 3 hours of development testing, we temporarily shut down the app at 14:20 (UTC) on August 1 for upgrading and optimization. And the new NFT minting contract got live on August 1, 15:05 (UTC) online.

As a result,some decent LoserChick NFTs were born quite earlier than they were expected to be. We are deeply sorry for it. The vulnerability of the contract did affect everyone’s gaming experience and mood, and for us as well.

As a community game,it’s important to be transparent and now we want to share it with all of you guys.

A Special Guest

The hacker call the NFT minting contract with self-built contracts .If the target NFT is not successfully minted, then rolling back the transaction, minting again, until he mints the target NFT succefully.

In the attack shown below, the hacker performed 24 on-chain rollback transactions to get a LuckyChick in the 25th minting.

So the probability itself is not a problem, but the hacker performed dozens of times more boiled eggs, whick hardly consumed eggs in real and resulting in a large increase in the number of LuckyChick produced in comparison.

This process only consumes gas fee and this is why you have seen a lot of LuckyChicks flowing out of the market at high frequencies from several accounts in the last few days. After we updated the contract yesterday, he can not do it any longer.

The Solution

After rigorous troubleshooting, we have upgraded and replaced the NFT minting contract and revalidated the other contracts. The new NFT minting contract is now safe and prohibits minting by way of contract calls, only normal users can mint NFTs now. loserChick is still the same fair game as before.

In fact, similar problems are not unique in the blockchain field, such as lightning loan attacks and other solutions, which are also executed after success and rolled back if unsuccessful. We have analyzed several processing options and finally chose the way of “prohibiting contract address call”, which is not necessary for ordinary users to do any operation and has lower upgrade cost. Besides,only minting contract now can call the random number contract.

Generally speaking,addresses can be devided into contract addresses and common addresses, which are usually specified on the block browser. For example $EGG token address is the contract address, while the wallet generated by the user in Metamask is the common address. In layman’s terms, disabling contract address calls means that only normal addresses are allowed for NFT minting, and normal addresses are impossible to roll back within 1 block.

We observe that the new NFT minting contract has been safely running for 24 hours, and we also re-verifying other contracts, they are all good.

The Impact to the Chance of Minting

Even if the hacker succeeds in getting NFTs in a short time, it will not have any probabilistic impact on other users who are minting NFTs at the same time. The probability of each user minting NFT is the same and the probabilities are relatively independent of each other. The only problem it will cause is that the release cycle of NFT might be accelerated, which means the later comers, when they enter the game, some of the lucky chicks might have been produced, which is really unfortunate.

About the Audit

On June 13, LoserChick completed a comprehensive audit by Certik, a professional auditing agency, with certain guarantees in terms of security. But in response to this contract vulnerability, we are fully reviewing the code and taking strict precautions.

More details on the audit report, please click:

https://github.com/Loserchick/loserchick_contracts/blob/main/audit_report/loserchick_20210616.pdf

Details of the NFT Minting Process

Consume 1 EGG to Mint NFT

Step 1

Obtain the random number, determine whether the random number < the specified value, if < the specified value, go to step 2.

If the random number ≥ the specified value, the minting fails and the minting process ends.

Note: The random number is used as a random seed according to blockhash for calculation.

Step 2

Obtain the random number, and according to the random number, determine whether or not to mint ShriekingChick, luckyChick, LaborChick, bossChick and TrumpChick in turn.

If the ShriekingChick, luckyChick, LaborChick and BossChick fail to be minted, the TrumpChick will definitely be minted.

Consume Multiple EGGs Together to Mint NFTs ( With 10 Eggs you get 5 NFTs guaranteed)

- If the EGG quantity ≤ 9, the minting process is the same as “consume 1 EGG to mint NFT” , but multiple cycles.

- If the EGG quantity = 10, after the 10th minting NFT, it will determine whether the number of minting NFT ≥ 5, if ≥ 5, then end minting; if the number of NFT < 5, the minting process is repeated until the number of NFT = 5.

For more detailed parameters, please refer to the NFT minting contract:

NFT minting contract (before upgrade): https://polygonscan.com/address/0xA609BA2bCB89893B280449Ca57B46dA6edF8023b#code

NFT minting Contract (after upgrade): https://polygonscan.com/address/0xCf4E54170d5Bb99495bf7Eb062F3116AF0e86949#code

About the Related NFTs

NFTs minted by the Hacker

NFTs Sold by the Hacker

Remaining NFTs Hold by the Hacker

Related Transfers and Trades

https://docs.google.com/spreadsheets/d/1d05Qxku_m1cJcUjqN3SMUj6kcby-VKshhx3EaD4nJSY/edit#gid=93531712

Words To the Special Guest

Thanks for reminding us that you can’t be too careful when you run a smart contract and we also want to remind you something:

Please set the following address as the only tradable address and offer a proper price within 48 hours, and we will buy back the remaining NFTs in your address and burn them all. Otherwise, they will be banned from mining.

Address: 0x849aaD6Be87071bD73843303381337eD50ad2369

Finally, thanks again for all of the community members. It’s your support that makes LoseChick stronger.

LoserChick is a web 3.0 gaming project consisting of claw crane, P2E, DeFi & NFTs 👾 Get Started: https://linktr.ee/LoserChick

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

China, crypto, and the decline of the US dollar

Looking ahead

Looking ahead

Market Sentiment Is Bullish, But Bitcoin Is About to Hit Key Resistance Levels: Market Watch Weekly

What is a Bond?

3 Things That Will Survive the Cryptocurrency Bust

LVL Innovates Crypto Banking with Synapse

Token Financing: How tokenization will Change the Economy

Cryptocurrency Investing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
LoserChick

LoserChick

LoserChick is a web 3.0 gaming project consisting of claw crane, P2E, DeFi & NFTs 👾 Get Started: https://linktr.ee/LoserChick

More from Medium

WhatTheFish Meme contest

Our vision

Occulta Verba — Cryptograms, She Wrote

Metarun — First blockchain-based P2E and P2W endless mobile runner game with NFT assets