DefiLlama founder warns of a serious vulnerability in the Foundation NFT marketplace
An exploit can lead to the loss of platform tokens in just two transactions
21.06.2023 - 09:20
238
2 min
0
What’s new? The founder of the analytics platform DefiLlama, known by the nickname 0xngmi, discovered a serious vulnerability in the workings of the Foundation non-fungible token (NFT) marketplace six months ago. According to 0xngmi, the vulnerability has not yet been fixed, and exploiting it would allow an attacker to destroy all tokens issued on the platform in just two transactions.
The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at riskHowever reality is very far from that, all NFTs are just 2 txs away from being destroyed
— 0xngmi (@0xngmi) June 21, 2023
Details about the vulnerability. As the programmer noted, the same contract is used to save resources when deploying collections on the platform. By itself, this principle of operation is not problematic, but in the case of the Foundation, there is a possibility of self-destruction of this contract.
According to 0xngmi, a combination of two platform features can lead to this. The first allows the creator to destroy the collection and the deployment contract itself if there are no NFTs in it. The second allows the platform developers, already the owners of the contract, to destroy it. The programmer added that if the keys are leaked, the hacker can hold on to all the NFTs for ransom or simply destroy them.
The founder of DefiLlama stressed that the immutability and reliability of NFTs are in question, and a possible exploit would cause irreparable damage:
“The point is that all collectors that own foundation pieces assume that their NFTs are immutable in the blockchain and can't be manipulated, at most only metadata is at risk. However reality is very far from that, all NFTs are just 2 txs away from being destroyed.”
According to 0xngmi, he reported the problem six months ago, in December 2022, but the Foundation team never fixed it.
Earlier, cybersecurity company CertiK received $500 000 for discovering the HamsterWheel vulnerability on the Sui blockchain. Its use could lead to the failure of the network’s nodes.
And in May, experts at dWallet Labs discovered a vulnerability in multisignature accounts on the TRON blockchain that could have resulted in a loss of $500 million. It allowed bypassing the multisignature mechanism and confirming a transaction with just one signature. The problem was promptly fixed by the TRON team within days of the notification in February of this year.
Useful material?
Incidents
Scammers took advantage of the former US president’s recent announcement of a real DeFi protocol
Sep 4, 2024
Technologies
The upgrade is aimed at implementing a new decentralized project governance system
Sep 2, 2024
Incidents
The company placed $2б4 billion in bonds maturing in 2026, but their value has fallen dramatically since the entrepreneur’s arrest
Aug 30, 2024
Incidents
In both cases, depending on the outcome of the investigations, the messenger could be blocked
Aug 29, 2024
Market
The project will offer a decentralized alternative to traditional banking services
Aug 29, 2024
Trends
Within a week of its launch, the platform managed to overtake its main competitor, Pump.fun on the Solana network
Aug 28, 2024