The National Basketball Association (NBA) halted minting of its new NFT collection after an issue with its whitelist came to light.
Blockchain security firm BlockSec said on Thursday the collection has a serious vulnerability that allows attackers to mint NFTs without paying any tokens.
The Association is a new Ethereum-based NFT collection based on the 2022 NBA playoffs, which began minting on Wednesday. The tokens feature popular players from 16 teams, and will change in appearance depending on each player’s performance in the playoffs.
The NBA tweeted that it had paused minting in the collection, flagging issues with the whitelist, which caused the collection to sell out prematurely.
We apologize for this situation and are currently identifying the Allow List wallets that were not able to mint as a result
-the NBA
NBA NFTs use incorrect signature verification?
Blocksec said that the NFT contract fails to verify that a signature can be used only once, by a single user. Due to the oversight, attackers are able to reuse a signature belonging to an actual user and mint tokens for themselves.
This could explain why the NBA said its whitelist had sold out prematurely, as attackers exploited the vulnerability.
The blockchain security firm said the contract did not include any mechanisms to ensure a single authorized signature could be used only one. It also said that such a security requirement is “basic knowledge.”
We are surprised that how such a vulnerability can exist in a popular NFT project
-BlockSec
The collection is a blind mint, meaning that nobody will know which player they will mint until a reveal on Friday. 18000 tokens are available, of which nearly 16,000 appear to be minted.
No stranger to NFTs
The new collection is far from the NBA’s first foray into NFTs. The basketball league has tied up with major NFT player Dapper Labs to open its own NFT marketplace, called NBA Top Shot.
But The Association marks the NBA’s first expansion beyond its partnership with Dapper, as it looks to capitalize on the rapidly-growing popularity of sports-based NFTs and digital collectibles. Total sales from the Top Shot collection are nearly $1 billion, according to data from Crypto Slam.