The rise of the NFT wave has allowed major IPs to find new markets. On January 19, the official social media of the well-known domestic animation IP Ahri announced its entry into the NFT field and launched the "Ali&His Friends" series of NFTs.
On February 15th, after the early whitelist distribution and warm-up, 10,000 Ari series NFT blind boxes were officially put on sale. Each blind box was priced at 0.1ETH. In the OpenSea trading market, the price of a blind box was smashed to 0.2ETH. about.
As a rule, blind boxes can only be opened after all blind boxes have been sold. But soon, community members revealed that there are technical loopholes in this series of NFTs, and users can access the metadata and image information corresponding to the blind box through the background code logic without opening the blind box.
According to the analysis of technicians, the blind box has changed to "bright box" mainly due to the official exposure of the background code logic and administrator background address, and the metadata of the blind box is placed in the public folder, which can be accessed by anyone. The statement has not been responded to by the official team, and the official team has not publicly explained the reason, but it said on the community's Discord that it will disrupt the leaked metadata and rearrange the rarity of NFTs.
Since Ali is a real domestic IP, this technical "rollover" incident has raised questions about domestic projects. According to the previous plan of Ali NFT, it will also build the Aliverse virtual universe and related games around "Ari and his friends", but after this low-level technical accident, many people expressed doubts about whether this goal can be realized.
Technical loopholes cause Ali's NFT blind box to become a "bright box"
user
With a cute, warm and childish personality, Ali's cartoon image, who has always believed in fairy tales, has accompanied many people through their youth. When the NFT wave was surging, this classic domestic animation IP also caught up with the trend and entered the NFT market.
On January 19 this year, Ali's official social media announced the launch of the "Ali&His Friends" series of NFTs. According to the official website, there are a total of 10,000 NFTs in this series, which are composed of unique avatars of "Ari and his friends". The characters include Ari, Big Bear, Peach, Shadow, Mika, etc. Each character avatar has different outfits and different rarities.
User's two Ali NFT avatars
After the announcement of this news, a large number of Ahri fans and NFT enthusiasts expressed their interest in collecting on social media, and the number of fans of Ahri NFT’s official push grew rapidly to 109,000. According to its NFT release rules, only users who have completed multiple tasks and got the whitelist are eligible to purchase through official channels on the release date.
On February 15th, Ali NFT blind boxes were officially launched, and each blind box was priced at 0.1 ETH. Many long-awaited whitelisted users bought blind boxes in the first place. As a rule, blind boxes can only be opened after all blind boxes have been sold.
Of course, blind boxes subscribed by whitelisted users can already be listed on exchanges such as OpenSea. On February 16th, the floor price of Ali NFT blind box on OpenSea was about 0.2 ETH, a 100% increase from the official sale price.
Just when the blind box holders were looking forward to seeing which NFT they could open, the accident happened. According to feedback from community members, the "Ali&His Friends" series of NFTs had technical loopholes during the pre-sale process, which allowed users to access the metadata and image information corresponding to the blind box through the background code logic without opening the blind box.
The mystery of the blind box was suddenly lost, and it became a "bright box", which is especially rare in the history of NFT sales. In addition, some users broke the news that there was a spelling error on the previous official website of Ali NFT, and "Connect wallet" was spelled "Collect wallet".
According to the analysis of Twitter user 0xZdm, the leak of the blind box exposes multiple vulnerabilities in Ahri NFT technology. First, the official debug mode is not related, and the logic of the background code is directly exposed; second, the official version of ThinkPHP released 5 years ago is used, and the version is likely to have penetration vulnerabilities; third, the official website exposes the administrator background address; fourth , the metadata that can only be seen after the blind box is opened is directly placed in the public folder, and anyone can access it at any time. The official team of the user Aite Ari NFT said, "Please stop this behavior of using Web1.5 technology to harvest Web3.0 leeks."
After the related issues were exposed, there was an uproar. There was chaos in the Ahri NFT community, and they all asked the official to give an explanation. At this time, the ID of the suspected administrator in the official Discord group of Ali NFT sent a message saying "Brothers, hurry up to ship", which once again caused controversy.
Subsequently, the official team responded in the community that the above-mentioned account that published the "shipping" remarks had not been used for a long time and was suspected of being stolen. In addition, the official Ali NFT team has not publicly explained the reason for the information leakage, but in the Discord community, the team said that it is actively rectifying the website, disrupting all the previously leaked metadata, and rearranging the NFT rarity.
Disclaimer : The above empty space does not represent the position of this platform. If the content of the article is not logical or has irregularities, please submit feedback and we will delete or correct it, thank you!
COPYRIGHT © 2021-2023 HZD.COM & WWW.HZD.AI ALL RIGHTS RESERVED
