An Open Letter to the Community: About the LuckyChicks

Dear community.

Thank you all for your support in making LoserChick one of the hottest blockchain games of the moment. In just a few days, the NFT minting has reached 122,856 times, and what a crazy number it is!

Together with the popularity, we’ve also got a special guest. On July 30, 2021, a hacker conducted a test attack on the LoserChick NFT minting contract. On August 1 at 9:00 (UTC), after recieved many DMs from the community members, we began to notice the vulnerabilities in the NFT minting contract. We located the problem at once. After 3 hours of development testing, we temporarily shut down the app at 14:20 (UTC) on August 1 for upgrading and optimization. And the new NFT minting contract got live on August 1, 15:05 (UTC) online.

As a result,some decent LoserChick NFTs were born quite earlier than they were expected to be. We are deeply sorry for it. The vulnerability of the contract did affect everyone’s gaming experience and mood, and for us as well.

As a community game,it’s important to be transparent and now we want to share it with all of you guys.

The hacker call the NFT minting contract with self-built contracts .If the target NFT is not successfully minted, then rolling back the transaction, minting again, until he mints the target NFT succefully.

In the attack shown below, the hacker performed 24 on-chain rollback transactions to get a LuckyChick in the 25th minting.

So the probability itself is not a problem, but the hacker performed dozens of times more boiled eggs, whick hardly consumed eggs in real and resulting in a large increase in the number of LuckyChick produced in comparison.

This process only consumes gas fee and this is why you have seen a lot of LuckyChicks flowing out of the market at high frequencies from several accounts in the last few days. After we updated the contract yesterday, he can not do it any longer.

After rigorous troubleshooting, we have upgraded and replaced the NFT minting contract and revalidated the other contracts. The new NFT minting contract is now safe and prohibits minting by way of contract calls, only normal users can mint NFTs now. loserChick is still the same fair game as before.

In fact, similar problems are not unique in the blockchain field, such as lightning loan attacks and other solutions, which are also executed after success and rolled back if unsuccessful. We have analyzed several processing options and finally chose the way of “prohibiting contract address call”, which is not necessary for ordinary users to do any operation and has lower upgrade cost. Besides,only minting contract now can call the random number contract.

Generally speaking,addresses can be devided into contract addresses and common addresses, which are usually specified on the block browser. For example $EGG token address is the contract address, while the wallet generated by the user in Metamask is the common address. In layman’s terms, disabling contract address calls means that only normal addresses are allowed for NFT minting, and normal addresses are impossible to roll back within 1 block.

We observe that the new NFT minting contract has been safely running for 24 hours, and we also re-verifying other contracts, they are all good.

Even if the hacker succeeds in getting NFTs in a short time, it will not have any probabilistic impact on other users who are minting NFTs at the same time. The probability of each user minting NFT is the same and the probabilities are relatively independent of each other. The only problem it will cause is that the release cycle of NFT might be accelerated, which means the later comers, when they enter the game, some of the lucky chicks might have been produced, which is really unfortunate.

On June 13, LoserChick completed a comprehensive audit by Certik, a professional auditing agency, with certain guarantees in terms of security. But in response to this contract vulnerability, we are fully reviewing the code and taking strict precautions.

More details on the audit report, please click:

https://github.com/Loserchick/loserchick_contracts/blob/main/audit_report/loserchick_20210616.pdf

Consume 1 EGG to Mint NFT

Step 1

Obtain the random number, determine whether the random number < the specified value, if < the specified value, go to step 2.

If the random number ≥ the specified value, the minting fails and the minting process ends.

Note: The random number is used as a random seed according to blockhash for calculation.

Step 2

Obtain the random number, and according to the random number, determine whether or not to mint ShriekingChick, luckyChick, LaborChick, bossChick and TrumpChick in turn.

If the ShriekingChick, luckyChick, LaborChick and BossChick fail to be minted, the TrumpChick will definitely be minted.

Consume Multiple EGGs Together to Mint NFTs ( With 10 Eggs you get 5 NFTs guaranteed)

- If the EGG quantity ≤ 9, the minting process is the same as “consume 1 EGG to mint NFT” , but multiple cycles.

- If the EGG quantity = 10, after the 10th minting NFT, it will determine whether the number of minting NFT ≥ 5, if ≥ 5, then end minting; if the number of NFT < 5, the minting process is repeated until the number of NFT = 5.

For more detailed parameters, please refer to the NFT minting contract:

NFT minting contract (before upgrade): https://polygonscan.com/address/0xA609BA2bCB89893B280449Ca57B46dA6edF8023b#code

NFT minting Contract (after upgrade): https://polygonscan.com/address/0xCf4E54170d5Bb99495bf7Eb062F3116AF0e86949#code

NFTs minted by the Hacker

NFTs Sold by the Hacker

Remaining NFTs Hold by the Hacker

Related Transfers and Trades

https://docs.google.com/spreadsheets/d/1d05Qxku_m1cJcUjqN3SMUj6kcby-VKshhx3EaD4nJSY/edit#gid=93531712

Thanks for reminding us that you can’t be too careful when you run a smart contract and we also want to remind you something:

Finally, thanks again for all of the community members. It’s your support that makes LoseChick stronger.

LoserChick is a web 3 gaming project consisting of claw crane, P2E, DeFi & NFTs. Get Started: https://linktr.ee/LoserChick