DefiLlama founder warns of a serious vulnerability in the Foundation NFT marketplace
An exploit can lead to the loss of platform tokens in just two transactions
21.06.2023 - 09:20
568
2 min
0
What’s new? The founder of the analytics platform DefiLlama, known by the nickname 0xngmi, discovered a serious vulnerability in the workings of the Foundation non-fungible token (NFT) marketplace six months ago. According to 0xngmi, the vulnerability has not yet been fixed, and exploiting it would allow an attacker to destroy all tokens issued on the platform in just two transactions.
The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at riskHowever reality is very far from that, all NFTs are just 2 txs away from being destroyed
— 0xngmi (@0xngmi) June 21, 2023
Details about the vulnerability. As the programmer noted, the same contract is used to save resources when deploying collections on the platform. By itself, this principle of operation is not problematic, but in the case of the Foundation, there is a possibility of self-destruction of this contract.
According to 0xngmi, a combination of two platform features can lead to this. The first allows the creator to destroy the collection and the deployment contract itself if there are no NFTs in it. The second allows the platform developers, already the owners of the contract, to destroy it. The programmer added that if the keys are leaked, the hacker can hold on to all the NFTs for ransom or simply destroy them.
The founder of DefiLlama stressed that the immutability and reliability of NFTs are in question, and a possible exploit would cause irreparable damage:
“The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at risk. However reality is very far from that, all NFTs are just 2 txs away from being destroyed.”
According to 0xngmi, he reported the problem six months ago, in December 2022, but the Foundation team never fixed it.
Earlier, cybersecurity company CertiK received $500 000 for discovering the HamsterWheel vulnerability on the Sui blockchain. Its use could lead to the failure of the network’s nodes.
And in May, experts at dWallet Labs discovered a vulnerability in multisignature accounts on the TRON blockchain that could have resulted in a loss of $500 million. It allowed bypassing the multisignature mechanism and confirming a transaction with just one signature. The problem was promptly fixed by the TRON team within days of the notification in February of this year.
Useful material?
Market
Due to supply shortages, the asset’s pre-market exchange rate was climbing above $1000
Dec 16, 2024
Incidents
Reports about the hacking of the exchange with calls to withdraw assets began to spread on December 13
Dec 13, 2024
Crypto regulations
Stablecoins from issuer Circle will not be affected by the changes
Dec 12, 2024
Crypto regulations
The platform will launch after meeting the preconditions of the local exchange authority
Dec 9, 2024
Market
The $1,1 billion figure was reached after the bitcoin correction
Dec 6, 2024
Crypto regulations
By early January, all open positions and loans of local users will be closed and repaid automatically
Dec 5, 2024