ERC-2771 integration introduces address spoofing vulnerability – OpenZeppelin

ERC-2771 integration introduces address spoofing vulnerability - OpenZeppelin


Shortly after Third Web disclosed a security vulnerability that could affect various smart contracts used in the Web3 ecosystem, OpenZeppelin identified two specific requirements as the cause of the vulnerability.

On December 4, Thirdweb reported a vulnerability in a commonly used open source library that could affect pre-built contracts including DropERC20, ERC-721, ERC-1155 (all versions), and AirdropERC20.

In response, smart contracts development platform OpenZepplin and invincible token marketplaces Coinbase NFT and OpenSea proactively notified users about the threat. Upon further investigation, the OpenZiplin vulnerability came from a “problematic combination of two distinct levels: ERC-2771 and multicall.”

The smart contract vulnerability in question arises after the integration of the ERC-2771 and multi-call standards. OpenZeplin has identified 13 vulnerable smart contracts as shown below. However, crypto service providers are advised to address the issue before bad actors find a way to exploit the vulnerability.

Tokenmetrics
Smart contract vulnerabilities related to ERC-2771 integration. Source: The Third Web

OpenZeplin's investigation revealed that the ERC-2771 standard allows certain callback functions to be overridden. This can be used to retrieve the sender's contact information and make calls on their behalf.

45cfe5c6 5097 448b bfc0 7aaecad777f1
An attacker can bundle multiple missed calls into a single multi-call (byte).[]). Source: OpenZepelin

OpenZepplin recommends that the Web3 community use a 4-step approach to ensure security using the above integrations: disable each trusted relay, pause contracts and revoke approvals, prepare updates, and review snapshot options.

In addition, the third web has launched a hacking tool that allows users to link their wallets and identify if the contract is vulnerable.

Decentralized financial platform Velodrome has deactivated its transmission service until a new version is installed.

Related: Coinbase's Base Network Gets OpenZeppelin Security Integration

In a recent Cointelegraph magazine article, experts describe how artificial intelligence (AI) can help audit smart contracts and cyber security efforts.

James Edwards, head of cyber security researcher Librehash, said that while AI chatbots can develop smart contracts, deploying them in a live environment is risky.

On the other hand, Edwards explained that the technology has the potential to refine smart contracts. Recent tests have demonstrated the AI's ability to “diagnose with an unprecedented level of accuracy far beyond what one would expect and receive from GPT-4.”

While he admits he's not yet as good as a human auditor, he can already make a solid first pass to speed up and make the auditor's work more complete.

Magazine: Legislators' fear and skepticism fuel proposed crypto regulations in the US.



Leave a Reply

Pin It on Pinterest