Thirdweb recently disclosed a security vulnerability affecting a range of widely-used smart contracts across the Web3 ecosystem. Following this, OpenZeppelin pinpointed two specific standards as the primary sources of this security issue.
On December 4, Thirdweb reported a flaw in a popular open-source library, potentially impacting pre-built contracts such as DropERC20, ERC-721, ERC-1155 (all versions), and AirdropERC20. In response, OpenZeppelin, a platform for smart contract development, along with non-fungible token (NFT) marketplaces like Coinbase NFT and OpenSea, promptly alerted their users about the threat. Further investigation by OpenZeppelin traced the vulnerability back to an improper integration of two specific standards: ERC-2771 and Multicall.
The vulnerability emerges from the combination of ERC-2771 and multicall standards. OpenZeppelin identified 13 sets of affected smart contracts. They advised crypto service providers to address this issue promptly to prevent potential exploitation by malicious actors. OpenZeppelin discovered that the ERC-2771 standard allows for the overriding of certain call functions, which could be manipulated to extract sender address information and spoof calls on their behalf.
To ensure safety, OpenZeppelin recommended a four-step approach for the Web3 community using these integrations: disabling every trusted forwarder, pausing contracts and revoking approvals, preparing for an upgrade, and evaluating snapshot options. Additionally, Thirdweb released a mitigation tool enabling users to connect their wallets and check for vulnerable contracts. Velodrome, a decentralized finance platform, temporarily shut down its relay services until a new version was implemented.
A recent article in Cointelegraph Magazine discussed how artificial intelligence (AI) can assist in auditing smart contracts and bolster cybersecurity efforts. James Edwards, the lead maintainer for cybersecurity investigator Librehash, noted that while AI chatbots can develop smart contracts, deploying them in live environments carries risks.
However, Edwards also acknowledged AI’s potential in vetting smart contracts. Recent tests demonstrated AI’s capability to audit contracts with remarkable accuracy, surpassing expectations and the performance of GPT-4. While AI may not yet match the expertise of a human auditor, it can effectively conduct a preliminary review, accelerating and enhancing the auditor’s work.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up