Address Spoofing Attack: The Combination of ERC2771 and Multicall is a Bomb
Address Spoofing Attack: The Combination of ERC2771 and Multicall is a Bomb
Situation Summary THIRDWEB is a platform for developers. They have a smart contract development toolkit with 1-click to deploy NFT, Marketplace, ERC20 tokens, etc. In contracts that have been deployed by THIRDWEB, they depend on ERC2771 and Multicall from the OpenZeppelin Library. The bad interaction between them created a critical vulnerability that affected the large blockchain community around the world. More than 8,000 contracts from different chains were deployed under vulnerable code, resulting in almost a million dollars in damage. Technical BackgroundERC2771ERC-2771 is a meta transaction standard. It specifies how the caller address should be resolved when a call is forwarded by a trusted forwarder. During such a call, MulticallMulticall is the utility contract in OpenZeppelin’s libraries. It provides a function to batch together multiple contract function calls in a single transaction call. Vulnerability Analysis
Root causeNormally, the user call Forwarder contract (trusted by token) to execute Here is snipe code Forwarder: Create the Let’s focus We can see the length of the MigrationOpenZeppelin released a new update to OpenZeppelin Contracts for both of the 4.x and 5.x versions, allowing the use of The official migration tutorial released by the THIRDWEB is here: Link. ConclusionFinally, the discovery and prompt remediation of the vulnerability in THIRDWEB’s smart contract creation toolkit highlight the crucial need of proactive security measures in the constantly growing blockchain world. The combination of ERC2771 and Multicall in deployed contracts generated an unanticipated issue, resulting in a wide-ranging influence on numerous blockchain networks. In the long run, the commitment to security is necessary. THIRDWEB and blockchain organizations should consider doing a security audit of their whole smart contract development process, with the help of trustworthy third-party firms. Ref: Work done by Verichain. |