​DefiLlama founder warns of a serious vulnerability in the Foundation NFT marketplace

What’s new? The founder of the analytics platform DefiLlama, known by the nickname 0xngmi, discovered a serious vulnerability in the workings of the Foundation non-fungible token (NFT) marketplace six months ago. According to 0xngmi, the vulnerability has not yet been fixed, and exploiting it would allow an attacker to destroy all tokens issued on the platform in just two transactions.

The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at riskHowever reality is very far from that, all NFTs are just 2 txs away from being destroyed

— 0xngmi (@0xngmi) June 21, 2023

Details about the vulnerability. As the programmer noted, the same contract is used to save resources when deploying collections on the platform. By itself, this principle of operation is not problematic, but in the case of the Foundation, there is a possibility of self-destruction of this contract.

According to 0xngmi, a combination of two platform features can lead to this. The first allows the creator to destroy the collection and the deployment contract itself if there are no NFTs in it. The second allows the platform developers, already the owners of the contract, to destroy it. The programmer added that if the keys are leaked, the hacker can hold on to all the NFTs for ransom or simply destroy them.

The founder of DefiLlama stressed that the immutability and reliability of NFTs are in question, and a possible exploit would cause irreparable damage:

“The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at risk. However reality is very far from that, all NFTs are just 2 txs away from being destroyed.”

According to 0xngmi, he reported the problem six months ago, in December 2022, but the Foundation team never fixed it.

Earlier, cybersecurity company CertiK received $500 000 for discovering the HamsterWheel vulnerability on the Sui blockchain. Its use could lead to the failure of the network’s nodes.

And in May, experts at dWallet Labs discovered a vulnerability in multisignature accounts on the TRON blockchain that could have resulted in a loss of $500 million. It allowed bypassing the multisignature mechanism and confirming a transaction with just one signature. The problem was promptly fixed by the TRON team within days of the notification in February of this year.