# Mr Steal Yo Crypto - Game Assets **Published by:** [Proxy](https://paragraph.com/@proxy-3/) **Published on:** 2024-01-26 **URL:** https://paragraph.com/@proxy-3/mr-steal-yo-crypto-game-assets ## Content DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesGameAsset and AssetHolder seem like normal ERC721 and ERC1155 contractsLooking at AssetWrapper contracts wrap function we see it immediately calls _wrap which mints an ERC1155 token to assetOwner parameter without any check that it is the owner of the ERC721 token, so anyone can mint the ERC1155.Another major problem is the fact that _wrap calls ERC1155s _mint function which can be maliciously used via Reentrancy, because the _mint function calls an external function onERC1155Received to check that a contract can receive the ERC1155 token.Wrapping tokens into ERC1155 can be dangerous because there are several functions from which we can reenter a contract if there is no ReentrancyGuard implementedThe vulnerable ERC1155 functions are safeTransferFrom(), safeBatchTransferFrom(), _mint() and _mintBatch() (more on this in Resources section).This is because all of these functions implement an external function call to msg.sender contract, calling the onERC1155Received() function, from where an attacker can reenter.Attack ContractThe attack contract needs to call wrap for the first NFT with assetOwner = address(this) and implement onERC1155Received to then again call wrap for the other NFT with the same assetOwner and then call unwrap on both NFTs to trap them in the wrapper contractResourcesChallenge linkGithub contractsAttack contractTest file with solutionWhere to find solidity reentrancy attacks (RareSkills) ## Publication Information - [Proxy](https://paragraph.com/@proxy-3/): Publication homepage - [All Posts](https://paragraph.com/@proxy-3/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@proxy-3): Subscribe to updates - [Twitter](https://twitter.com/Proxy1967): Follow on Twitter