ERC-2771 integration introduces address spoofing vulnerability – OpenZeppelin
Shortly after Third Web disclosed a security vulnerability that could affect various smart contracts used in the Web3 ecosystem, OpenZeppelin identified two specific requirements as the cause of the vulnerability.
On December 4, Thirdweb reported a vulnerability in a commonly used open source library that could affect pre-built contracts including DropERC20, ERC-721, ERC-1155 (all versions), and AirdropERC20.
Important
In the year On November 20, 2023 at 6:00 PM PST, we became aware of a security vulnerability in a widely used open source library in the Web3 industry.
This affects various smart contracts on the web3 ecosystem, including some third-party pre-built smart contracts.…
— Third Web (@thirdweb) December 5, 2023
In response, smart contracts development platform OpenZepplin and invincible token marketplaces Coinbase NFT and OpenSea proactively notified users about the threat. Upon further investigation, the OpenZiplin vulnerability came from a “problematic combination of two distinct levels: ERC-2771 and multicall.”
The smart contract vulnerability in question arises after the integration of the ERC-2771 and multi-call standards. OpenZeplin has identified 13 vulnerable smart contracts as shown below. However, crypto service providers are advised to address the issue before bad actors find a way to exploit the vulnerability.
OpenZeplin's investigation revealed that the ERC-2771 standard allows certain callback functions to be overridden. This can be used to retrieve the sender's contact information and make calls on their behalf.
OpenZepplin recommends that the Web3 community use a 4-step approach to ensure security using the above integrations: disable each trusted relay, pause contracts and revoke approvals, prepare updates, and review snapshot options.
Important
In the year On November 20, 2023 at 6:00 PM PST, we became aware of a security vulnerability in a widely used open source library in the Web3 industry.
This affects various smart contracts on the web3 ecosystem, including some third-party pre-built smart contracts.…
— Third Web (@thirdweb) December 5, 2023
In addition, the third web has launched a hacking tool that allows users to link their wallets and identify if the contract is vulnerable.
Today the @OpenZeppelin team revealed details about @thirdweb vulnerabilities to our team. We have identified a few functions that may be overlooked in relay contracts. As such, we are disabling Relay until the necessary fixes are made.
To be perfectly clear,…
— Velodrome (@VelodromeFi) December 8, 2023
Decentralized financial platform Velodrome has deactivated its transmission service until a new version is installed.
Related: Coinbase's Base Network Gets OpenZeppelin Security Integration
In a recent Cointelegraph magazine article, experts describe how artificial intelligence (AI) can help audit smart contracts and cyber security efforts.
GM ☕️
As a Zero Solidity incompetent, I already had an efficient smart contract tailored to my needs by AI.
I dropped @Azuki's smart contract into GPT-4 and had it ask me relevant questions.
Disclaimer: Professional human audits and dives are still important… pic.twitter.com/K4UGfFC5dp
— SV (@0xSMV) March 16, 2023
James Edwards, head of cyber security researcher Librehash, said that while AI chatbots can develop smart contracts, deploying them in a live environment is risky.
On the other hand, Edwards explained that the technology has the potential to refine smart contracts. Recent tests have demonstrated the AI's ability to “diagnose with an unprecedented level of accuracy far beyond what one would expect and receive from GPT-4.”
While he admits he's not yet as good as a human auditor, he can already make a solid first pass to speed up and make the auditor's work more complete.
Magazine: Legislators' fear and skepticism fuel proposed crypto regulations in the US.
