KB Pair Burn Drain

The seed artifacts show that the PancakeSwap pair 0x0a86a9cc823f8febc1d26f1f880be3c986e7c042 held enough WBNB liquidity for the adversary to realize profit immediately after minting unauthorized P404.

3. Vulnerability Analysis & Root Cause Summary

This is an ATTACK-class ACT exploit caused by broken authorization in the NFT redemption path. The protocol invariant should be: only the owner of a P404NFT token, or an operator approved by that owner, may destroy that token and receive fungible redemption value. P404 violates that invariant in the dispatch branch that handles tokenId-sized values. When a caller executes P404Token.transfer(P404Token, tokenId), the overridden _update() function reaches transform(tokenId) before any NFT authorization check runs. transform() calls _erc721ToErc20(), which burns the NFT and mints 9800 P404 to msg.sender. The downstream burn succeeds because P404NFT.burn() only checks that msg.sender equals the configured token contract and does not validate the NFT owner or an approved operator. The result is a permissionless path for burning someone else's NFT and redirecting redemption proceeds to the attacker.

4. Detailed Root Cause Analysis

The relevant victim-side code from the collected verified sources is:

function _update(address from, address to, uint256 value) internal override {
    if (!isValidTokenId(value)) {
        super._update(from, to, value);
    }

    if (to == address(this) || to == erc721) {
        transform(value);
    } else {
        if (isValidTokenId(value)) {
            if (from != address(0)) {
                require(
                    iERC721CheckAuth(erc721).isAuthorized(from, msg.sender, value),
                    "P404: not authorized"
                );
            }
            IERC721(erc721).safeTransferFrom(from, to, value);
        }
    }
}

function _erc721ToErc20(uint256 _tokenId) internal {
    IERC721Burnable(erc721).burn(_tokenId);
    _mint(msg.sender, (TRANSFORM_PRICE * (10000 - TRANSFORM_LOSE_RATE)) / 10000);
}

Origin: verified P404Token source.

function burn(uint256 tokenId) external {
    require(
        p404contract == msg.sender,
        "P404NFT: only p404contract can burn"
    );
    _withdrawAndStoreERC721(tokenId);
}

Origin: verified P404NFT source.

These two snippets are sufficient to explain the exploit:

1. A tokenId-sized value is treated as an NFT identifier.
2. Sending that value to address(this) causes _update() to call transform(value).
3. That branch does not perform isAuthorized(from, msg.sender, value).
4. _erc721ToErc20() burns the NFT and mints fungible P404 to the caller.
5. P404NFT.burn() accepts the request because the caller is the trusted token contract, not because the real NFT owner approved it.

The on-chain trace confirms this exact execution path. The seed trace contains repeated entries such as:

P404Token::transfer(P404Token, 2)
  P404NFT::burn(2)
  emit Transfer(..., attacker, 9800000000000000000000)

Origin: seed trace for tx 0x3ad998a01ad1f1bbe6dba6a08e658c1749dabfa4a07da20ded3c73bcd6970d20.

The balance diff corroborates that unrelated NFT holders lost balances while the adversary gained proceeds. For example, holder 0x0f143ae118e38cd5218f1a1ada9b793053c6d679 lost four P404NFT balance units in the transaction-level diff, while the adversary EOA gained 64745879478674455403 wei net of the helper payout flow and before subtracting gas the helper realized 64820147313674455403 WBNB-equivalent output.

5. Adversary Flow Analysis

The adversary flow is fully contained in one transaction:

1. EOA 0xc468d9a3a5557bff457586438c130e3afbec2ff9 calls helper contract 0xdaef6079cb84405dac688a9f6956c6830b7ddbc6.
2. The helper iterates over public token IDs and calls P404Token.transfer(P404Token, tokenId).
3. For each existing victim-owned token ID, P404NFT.burn(tokenId) succeeds and 9800 P404 is minted to the helper.
4. After accumulating minted P404, the helper approves PancakeRouter 0x10ed43c718714eb63d5aa57b78b54704e256024e.
5. The helper swaps the minted P404 through the P404/WBNB pair and receives WBNB.
6. The helper withdraws WBNB to native BNB and transfers the proceeds back to the originating EOA.

Representative trace evidence:

P404Token::approve(router, max)
swapExactTokensForTokensSupportingFeeOnTransferTokens(... path=[P404,WBNB] ...)
WBNB::withdraw(64820147313674455403)

Origin: seed trace for the exploit transaction.

This matches the ACT framing in root_cause.json: any unprivileged actor could deploy a similar helper, select existing public token IDs, and execute the same redemption and liquidation sequence against the pre-state immediately before block 39141427.

6. Impact & Losses

The attack burned 374 NFTs held by unrelated P404NFT holders and extracted liquidity from the PancakeSwap pool. The measured protocol-side token loss recorded in the analysis is:

• WBNB: 64820147313674455403 raw units (64.820147313674455403 WBNB)

The adversary EOA's net result after transaction fees was a positive 64.671611643674455403 BNB, based on:

• balance before: 3.036430852789792412 BNB
• balance after: 67.782310331464247815 BNB
• fee paid: 0.074267835 BNB

The economic damage therefore affected both NFT holders, whose tokens were destroyed without consent, and the liquidity pool that paid out the WBNB used to realize the attacker's profit.

7. References

• Seed exploit transaction: 0x3ad998a01ad1f1bbe6dba6a08e658c1749dabfa4a07da20ded3c73bcd6970d20
• Adversary EOA: 0xc468d9a3a5557bff457586438c130e3afbec2ff9
• Adversary helper contract: 0xdaef6079cb84405dac688a9f6956c6830b7ddbc6
• Victim token contract: 0xef1f39d8391cddcaee62b8b383cb992f46a6ce4f
• Victim NFT contract: 0x336a7675a863c12f7b49061b3ecb9e54be5e2120
• WBNB token: 0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c
• PancakeRouter: 0x10ed43c718714eb63d5aa57b78b54704e256024e
• Pancake pair: 0x0a86a9cc823f8febc1d26f1f880be3c986e7c042
• Evidence artifacts used: seed metadata, seed trace, seed balance diff, verified P404Token source, verified P404NFT source