The Idols NFT: Self-Transfer Reward Loop (Logic Bug in Token Transfer Hook)
The Idols NFT lost 97 stETH ($324k) to a reward accounting loop triggered by self-transfers — when a user sent tokens to themselves with a balance of exactly 1, the contract entered an infinite reward cycle.
Summary #
The Idols NFT suffered a NFT Protocol / Staking Rewards on 2025-01-14, resulting in a loss of approximately $324K.
What happened #
The Idols NFT lost 97 stETH ($324k) to a reward accounting loop triggered by self-transfers — when a user sent tokens to themselves with a balance of exactly 1, the contract entered an infinite reward cycle.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited (if Tikkala Security did audit) or unaudited (if they were only the detector) — unclear]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated self-transfer transactions (sender = receiver) on the NFT contract; stETH balance declining in reward reserves]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]