DefiLlama founder warns of a serious vulnerability in the Foundation NFT marketplace
An exploit can lead to the loss of platform tokens in just two transactions
21.06.2023 - 09:20
800
2 min
0
What’s new? The founder of the analytics platform DefiLlama, known by the nickname 0xngmi, discovered a serious vulnerability in the workings of the Foundation non-fungible token (NFT) marketplace six months ago. According to 0xngmi, the vulnerability has not yet been fixed, and exploiting it would allow an attacker to destroy all tokens issued on the platform in just two transactions.
The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at riskHowever reality is very far from that, all NFTs are just 2 txs away from being destroyed
— 0xngmi (@0xngmi) June 21, 2023
Details about the vulnerability. As the programmer noted, the same contract is used to save resources when deploying collections on the platform. By itself, this principle of operation is not problematic, but in the case of the Foundation, there is a possibility of self-destruction of this contract.
According to 0xngmi, a combination of two platform features can lead to this. The first allows the creator to destroy the collection and the deployment contract itself if there are no NFTs in it. The second allows the platform developers, already the owners of the contract, to destroy it. The programmer added that if the keys are leaked, the hacker can hold on to all the NFTs for ransom or simply destroy them.
The founder of DefiLlama stressed that the immutability and reliability of NFTs are in question, and a possible exploit would cause irreparable damage:
“The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at risk. However reality is very far from that, all NFTs are just 2 txs away from being destroyed.”
According to 0xngmi, he reported the problem six months ago, in December 2022, but the Foundation team never fixed it.
Earlier, cybersecurity company CertiK received $500 000 for discovering the HamsterWheel vulnerability on the Sui blockchain. Its use could lead to the failure of the network’s nodes.
And in May, experts at dWallet Labs discovered a vulnerability in multisignature accounts on the TRON blockchain that could have resulted in a loss of $500 million. It allowed bypassing the multisignature mechanism and confirming a transaction with just one signature. The problem was promptly fixed by the TRON team within days of the notification in February of this year.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Telegram
Twitter