Thirdweb Discloses Potential Web3 Ecosystem Vulnerability; OpenZeppelin Pinpoints Root Causes
Summary:
Thirdweb has unveiled a security vulnerability in a widely used open-source library that could affect many smart contracts across the Web3 ecosystem, including DropERC20, ERC721, ERC1155 and AirdropERC20. OpenZeppelin identifies the issue as arising from the integration of two specific standards, ERC-2771 and Multicall. OpenZeppelin, Coinbase NFT, and OpenSea have informed users about the threat, and OpenZepplin suggests a 4-step method for safety. Meanwhile, Thirdweb has released a tool to help users determine contract vulnerability, and DeFi platform Velodrome has temporarily deactivated its Relay services.
A security breach with potential repercussions for numerous prevalent Web3 ecosystem smart contracts was recently disclosed by Thirdweb. Following the revelation, OpenZeppelin pinpointed two particular standards as the initial source of the risk. On December 4th, Thirdweb brought to light a security flaw in a widely utilized open-source library, which could affect pre-established contracts like DropERC20, ERC721, ERC1155 (all renditions), and AirdropERC20.
As a reaction to this, OpenZepplin, in collaboration with NFT marketplaces Coinbase NFT and OpenSea, took the initiative of educating their users regarding the threat. Detailed scrutiny by OpenZepplin revealed that this vulnerability originated from the flawed fusion of two specific standards: ERC-2771 and Multicall. OpenZepplin detected 13 instances of susceptible smart contracts. To prevent their exploitation by malicious entities, they advised cryptocurrency service providers to rectify the issue promptly.
OpenZepplin's investigation disclosed that the ERC-2771 standard permits the alteration of certain call functions. This loophole could be exploited to retrieve and spoof the sender’s address information. The attackers may then embed multiple fake calls within a single multicall(bytes[]). To secure their systems, OpenZepplin recommended that Web3 community members using these integrations follow a 4-step safety process — deactivate every trusted forwarder, halt the contract and revoke approvals, plan an upgrade, and assess snapshot options.
To aid users, Thirdweb rolled out a tool that assists in connecting their wallets and determining if a contract is at risk. Concurrently, the decentralized finance (DeFi) platform Velodrome chose to disable its Relay services until a new edition is up and running.
In a recent article in Cointelegraph Magazine, experts shed light on how artificial intelligence (AI) can contribute to the auditing of smart contracts and bolster cybersecurity measures. James Edwards, the main maintainer for cybersecurity investigator Librehash, opined that although AI chatbots have the potential to create smart contracts, their deployment in a real-world setting carries risks. However, he also emphasized that AI technology can be used to vet smart contracts. Recent experiments demonstrated AI's capability to inspect contracts with an extreme degree of accuracy surpassing expectations and eclipsing the performance of GPT-4. While Edwards accepts that AI is not yet on par with human auditors, he believes it's already capable of performing an effective preliminary check, thereby streamlining the auditor’s work and making it more thorough.
Published At
12/8/2023 9:58:42 AM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.