{"id":26318,"date":"2023-12-08T08:10:22","date_gmt":"2023-12-08T08:10:22","guid":{"rendered":"https:\/\/nftandcrypto-news.com\/crypto\/erc-2771-integration-introduces-address-spoofing-vulnerability-openzeppelin\/"},"modified":"2023-12-08T08:10:25","modified_gmt":"2023-12-08T08:10:25","slug":"erc-2771-integration-introduces-address-spoofing-vulnerability-openzeppelin","status":"publish","type":"post","link":"https:\/\/nftandcrypto-news.com\/crypto\/erc-2771-integration-introduces-address-spoofing-vulnerability-openzeppelin\/","title":{"rendered":"ERC-2771 integration introduces address spoofing vulnerability \u2014 OpenZeppelin"},"content":{"rendered":"
\n

Soon after Thirdweb revealed a security vulnerability that could impact a variety of common smart contracts used across the Web3 ecosystem, OpenZeppelin identified two specific standards as the root cause of the threat.<\/p>\n

On Dec. 4, Thirdweb reported a vulnerability in a commonly used open-source library, which could impact pre-built contracts, including DropERC20, ERC-721, ERC-1155 (all versions) and AirdropERC20. <\/p>\n

\n

IMPORTANT <\/p>\n

On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.<\/p>\n

This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb\u2019s pre-built smart contracts.\u2026<\/p>\n

\u2014 thirdweb (@thirdweb) December 5, 2023<\/a><\/p><\/blockquote>\n

In response, smart contracts development platform OpenZepplin<\/a> and nonfungible token marketplaces Coinbase NFT<\/a> and OpenSea<\/a> proactively informed users about the threat. Upon further investigation, OpenZepplin found that the vulnerability stems from \u201ca problematic integration of two specific standards: ERC-2771 and Multicall.\u201d<\/p>\n

The smart contract vulnerability in question arises after the integration of ERC-2771 and multicall standards. OpenZepplin identified 13 sets of vulnerable smart contracts, as shown below. However, crypto service providers are advised to address the issue before bad actors find a way to exploit the vulnerability.<\/p>\n

Smart contract vulnerabilities linked to ERC-2771 integration. Source: Thirdweb<\/em><\/figcaption><\/figure>\n

OpenZepplin\u2019s investigation found that the ERC-2771 standard allows overriding certain call functions. This could be exploited to extract the sender\u2019s address information and spoof calls on their behalf. <\/p>\n

\"\"
An attacker can potentially wrap multiple spoofed calls within a single multicall(bytes[]). Source:\u00a0OpenZeppelin<\/em><\/figcaption><\/figure>\n

OpenZepplin advised the Web3 community using the aforementioned integrations to use a 4-step method for ensuring safety: disable every trusted forwarder, pause contract and revoke approvals, prepare an upgrade and evaluate snapshot options. <\/p>\n

\n

IMPORTANT <\/p>\n

On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.<\/p>\n

This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb\u2019s pre-built smart contracts.\u2026<\/p>\n

\u2014 thirdweb (@thirdweb) December 5, 2023<\/a><\/p><\/blockquote>\n

In addition, Thirdweb launched a mitigation tool that allows users to connect their wallets and identify if a contract is vulnerable. <\/p>\n

\n

Today the @OpenZeppelin<\/a> team disclosed details about the @thirdweb<\/a> vulnerabilities to our team. We’ve identified a few functions in the Relay contracts that could be griefed. As such, we are deactivating Relay until the necessary adjustments can be made. <\/p>\n

To be absolutely clear,\u2026<\/p>\n

\u2014 Velodrome (@VelodromeFi) December 8, 2023<\/a><\/p><\/blockquote>\n

The decentralized finance platform Velodrome also deactivated its relay services until a new version was installed.<\/p>\n

Related: <\/em><\/strong>Coinbase\u2019s Base network gets OpenZeppelin security integration<\/em><\/strong><\/p>\n

In a recent Cointelegraph Magazine article, experts revealed how artificial intelligence (AI) can help audit smart contracts and aid cybersecurity efforts. <\/p>\n

\n

gm \u2615\ufe0f <\/p>\n

As someone with zero Solidity proficiency, I had an already efficient smart contract tailored to my own needs by AI.<\/p>\n

I dumped @Azuki<\/a>‘s smart contract into GPT-4 and had it ask me relevant questions. <\/p>\n

Disclaimer: Professional human audits and devs are still important to\u2026 pic.twitter.com\/K4UGfFC5dp<\/a><\/p>\n

\u2014 SV (@0xSMV) March 16, 2023<\/a><\/p><\/blockquote>\n

James Edwards, the lead maintainer for cybersecurity investigator Librehash, said that while AI chatbots can develop smart contracts, deploying them in a live environment is risky. <\/p>\n

On the other hand, Edwards highlighted the technology\u2019s potential to vet smart contracts. Recent tests showed AI\u2019s ability to \u201caudit contracts with an unprecedented amount of accuracy that far surpasses what one could expect and would receive from GPT-4.\u201d<\/p>\n

While he concedes it\u2019s not as good as a human auditor yet, it can already do a strong first pass to speed up the auditor\u2019s work and make it more comprehensive.<\/p>\n

Magazine: <\/em><\/strong>Lawmakers\u2019 fear and doubt drives proposed crypto regulations in US<\/em><\/strong><\/p>\n<\/div>\n