24-hours-cooltime NFT Transfer bypass leads to illicit TOWN copy

24-hours-cooltime NFT Transfer bypass leads to illicit TOWN copy 

Summary : 
While some cheaters create multiple accounts and they transfer their NFTs to the other accounts to collect more rewards, For example 200 rarity VOX could be 2000 TOWN with 10 accounts in a day. 
So the limitation of  24-hours-cooltime NFT transfer has been patched two weeks ago, But it is still working in the wild because TownStar checks its NFT transfer time when only placing/displacing NFT.  

Steps to reproduce : 
Account#1 send his NFT to Account#2 
However, Account#1’s TownStar has the NFT in game (never deleted by server until user returns it to his inventory )
Account#2 receives the NFT and places it in his TownStar 
Account#2 sends the NFT to Account#1  
Now Account#1 could collect rewards when he prepared (24 hours cooltime NFT  transfer limitation doesn't work here) 
Vice verse when Account#2 is prepared.  

Impact : 
As the TOWN reward is a core of P2E game, this kind of illicit copying or multiplying of TOWN by NFT transfer (24-hours-cooltime bypass) would be a great concern and highly risk to the game business. 
Moreover, when it spreads to public, it could affect entire gala ecosystem which intends to GALA:TOWN=1:2  
It needs Priority Number 1 patch

Mitigation : 
Check NFT transfer history or user’s Inventory for the latest received time of NFTs when a user tries to collect their rewards
Displace NFT in TownStar right after when user transfers it 

Reference :https://discord.com/channels/692403822265368626/727262385597055126/915287951766859877

Timeline : 
2021/12/17 Report sent 
2021/12/18 Fixed by Gala Games

Feedback :